SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    May 2009
    Posts
    24
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Trying to send php form to Email, Database and post to a page

    Hi, so I'm trying to create camp registration form. This code is just for a test form until I can get it right. I have it to where it will send to the database and send to email, but now I am trying to get it to post the information on the confirmation page so the person registering can print it out for themselves. I found some code and tried piecing it in there, but it now just goes to a blank screen instead of the confirmation message that I have there. The confirmation message was showing up fine until I tried peicing in the code to echo the data.

    Anyone know what I need to do? Also, is there security issues with the code I'm using?

    Thanks!
    PHP Code:
    <html>
    <head>
    <title>Registration complete</title>
    </head>

    <body>
    <?php
    $con
    =mysqli_connect("localhost","username","password","database");
    // Check connection
    if (mysqli_connect_errno())
      {
      echo 
    "Failed to connect to MySQL: " mysqli_connect_error();
      }

    $sql="INSERT INTO camp_registration (first_name, last_name, sex, state)
    VALUES
    ('
    $_POST[first_name]','$_POST[last_name]','$_POST[sex]','$_POST[state]')";

    if (!
    mysqli_query($con,$sql))
      {
      die(
    'Error: ' mysqli_error($con));
      }
    echo 
    "Your registration form has been submitted. Please click the Paypal button below to pay your camp fees.";

    mysqli_close($con);

    //Peiced in code for echoing entered data back onto page

    if(array_key_exists("Submit"$_POST)){

        
    // loop through post data for form
        
    foreach($_POST as $key => $value){
            
            if(
    is_array($value)){
                
                foreach(
    $value as $key2 => $value2){
                    
                    echo 
    $key." = ".$value2."<br/>";
                }
                
            } else {
                
                echo 
    $key." = ".$value."<br/>";
            }
        }          

         echo 
    "<i>Submitted!</i>";

    } else {





    // Build the email (replace the address in the $to section with your own)

      
    $first_name $_POST['first_name'];
      
    $email $_POST['email'];
      
    $message $_POST['message'];
      
    $last_name $_POST['last_name'];
      
    $sex $_POST['sex'];
      
    $state $_POST['state'];

        
    $email_from 'my@email.com';
     
        
    $email_subject "New Camp Registration for $first_name $last_name";
     
        
    $email_body "You have received a new camp registration from the user $first_name.\n".
                                
    "\n First Name: $first_name \n Last Name: $last_name \n Sex: $sex \n State: $state \n".

    // Send the mail using PHPs mail() function

     
      
    $to "hallartistry@higherfocusart.com";
     
      
    $headers "From: $email_from \r\n";
     
      
    $headers .= "Reply-To: $email \r\n";
     
      
    mail($to,$email_subject,$email_body,$headers);
     


    function 
    IsInjected($str)
    {
        
    $injections = array('(\n+)',
               
    '(\r+)',
               
    '(\t+)',
               
    '(%0A+)',
               
    '(%0D+)',
               
    '(%08+)',
               
    '(%09+)'
               
    );
                    
        
    $inject join('|'$injections);
        
    $inject "/$inject/i";
         
        if(
    preg_match($inject,$str))
        {
          return 
    true;
        }
        else
        {
          return 
    false;
        }
    }
     
    if(
    IsInjected($email))
    {
        echo 
    "Bad email value!";
        exit;
    }

     
    ?> 
    </body>
    </html>

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,412
    Mentioned
    149 Post(s)
    Tagged
    4 Thread(s)
    1) You are using user input (the form values in the $_POST array) in a query without sanitizing them, so yes, there is a risk of sql injection.

    2) If your foreach loop doesn't output anything, you might want to check if you ever enter that loop. Are you sure you have a 'Submit' in your $_POST array? Do a var_dump($_POST); to check its contents.

  3. #3
    SitePoint Member
    Join Date
    May 2009
    Posts
    24
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by guido2004 View Post
    1) You are using user input (the form values in the $_POST array) in a query without sanitizing them, so yes, there is a risk of sql injection.

    2) If your foreach loop doesn't output anything, you might want to check if you ever enter that loop. Are you sure you have a 'Submit' in your $_POST array? Do a var_dump($_POST); to check its contents.
    Thank you. I have worked around PHP for quite some time, but haven't really dug into it until now, so I am pretty new at this. I thought that I had some sanitizing code in there, but maybe that is only for the sending to email part? Does each section need it's own sanitize code or just the sql part?

    2) I played around with the code last night and got it to somewhat work by taking out the very first line and the else at the end:
    PHP Code:
        // loop through post data for form
        
    foreach($_POST as $key => $value){
            
            if(
    is_array($value)){
                
                foreach(
    $value as $key2 => $value2){
                    
                    echo 
    $key." = ".$value2."<br/>";
                }
                
            } else {
                
                echo 
    $key." = ".$value."<br/>";
            }
        }          

         echo 
    "<i>Submitted!</i>";


    That showed me the data when I submitted, but pulled up more than I wanted (BodyTag, fa, submit) and shows Last Name as last_name, etc...:
    Code:
      first_name = Melissa
    last_name = Hall
    email = email@email.com
    sex = female
    state = idaho
    BodyTag =
    fa = sendmail
    submit = Submit
    Submitted!Your registration form has been submitted. Please click the Paypal button below to pay your camp fees.
    So I'm wondering, would it be better to use some coding where I actually have to echo each thing separately instead of trying to get it to do the whole thing at once without me having to enter all of the form feilds (there are going to be quite a few feilds). Or is there a way to make this work and make it look nicer?

    Thanks again!

  4. #4
    SitePoint Member
    Join Date
    May 2009
    Posts
    24
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, I got it to work. Instead of what I had before as far as the echo, I found this and of course it is pretty simple I think this will give me more control over the way it looks when it outputs on the page anyway:
    PHP Code:
    echo 'First Name: ' htmlspecialchars($_POST["first_name"]) . ' ';

    echo 
    '<br>Last Name: ' htmlspecialchars($_POST["last_name"]) . ''
    This is fine right? It works, but I want to make sure this is the right way to go about it.

    Thanks!

  5. #5
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,412
    Mentioned
    149 Post(s)
    Tagged
    4 Thread(s)
    That looks fine.

    About the sql injection problem, please do a search in this forum (or google) on sql injection, mysqli and bound parameters, and you'll find a lot of interesting stuff to read


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •