SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Member
    Join Date
    Sep 2011
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Would this newsletter form be secure?

    Hi Everyone,

    I am trying to make a sign up form to my website so I can send newsletters out. I have been testing it on WAMP and it works ok, however I am worried that it will be open to hackers/security problems.

    Also how can I include my MySql password and username from a different file (assuming this is necessary), I tried making a connection.php and including it with <?php include ("connection.php") ?> but couldn't get it to work.

    Any advice would be appreciated.

    PHP Code:
                        <?php
                              
    if (isset($_POST['submit'])) {
                                
    $email $_POST['email'];
                            
                                if (empty(
    $email)) {
                                  echo 
    'Please fill out all of the email information.<br />';
                                }
                              }
                            
                              if (!empty(
    $email)) {
                                
    $dbc mysqli_connect('localhost''username''password''newsletter')
                                  or die(
    'Error connecting to MySQL server.');
                            
                                
    $query "INSERT INTO emails (email)  VALUES ('$email')";
                                
    mysqli_query($dbc$query)
                                  or die (
    'Data not inserted.');
                            
                                echo 
    '<span class="echo-msg">Your email has been added.</span>';
                            
                                
    mysqli_close($dbc);
                              }
                            
    ?>
    HTML Code:
    					<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    						<input type="text" id="email" name="email" placeholder="Your email address here" />
    						<input type="image" id="submit" src="images/submit_button.png" name="submit" />
    					</form>

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,789
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    That code would allowa spambot to add every imaginable email address and billions of garbage text strings to your database before having to compete for resources with the next spambot that tries to do the same thing.


    Also the include statement doesn't need to be wrapped in its own <?php ?> tag - just place it in the code above where you use those values inside the tag you already have.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Member
    Join Date
    Sep 2011
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Felgall,

    Thanks for the response. I just realised that any string can be added without actually needing to be an email, so I need to add a condition that checks for an @ symbol?

    Also, I need some kind of verification like Captcha?

    So I have the connection.php which contains...
    PHP Code:
    <?php 

        
    function MyConnection()
        {
        
    mysqli_connect('localhost''username''password''newsletter')
        or die(
    'Error connecting to MySQL server.');
        }
        
    ?>
    and then before the form I have...

    PHP Code:
                        <?php
                              
    if (isset($_POST['submit'])) {
                                
    $email $_POST['email'];
                            
                                if (empty(
    $email)) {
                                  echo 
    'Please fill out all of the email information.<br />';
                                }
                              }
                            
                              if (!empty(
    $email)) {
                                include (
    "connection.php");
                                    
    $dbc MyConnection();
                                
    $query "INSERT INTO emails (email)  VALUES ('$email')";
                                
    mysqli_query($dbc$query)
                                  or die (
    'Data not inserted.');
                            
                                echo 
    '<span class="echo-msg">Your email has been added.</span>';
                            
                                
    mysqli_close($dbc);
                              }
                            
    ?>
    But it still doesn't work like this, I get this error " Fatal error: Call to undefined function MyConnection() in E:\Program Files\wamp\www\index.php on line 81"

    Any ideas?



    Thanks,
    Liz.

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,789
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Since you are using PHP you can validate that it is an email address using the email validate filter - that way it can do proper email address validation instead of allowing a@b@c@d@e and other similar nonsense that contains an @. See http://au2.php.net/manual/en/filter....s.validate.php

    Are you sure that the MyConnection function is defined inside connection.php and that connection.php is in the same folder as the script you are including it in?
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    SitePoint Member
    Join Date
    Sep 2011
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, Thanks. I added filter_verification_email and also got the external connection to work(yes it was in wrong folder ).

    Just want to double check all looks ok.
    Also how do I stop people from navigating to my connection.php to retrieve database password etc?

    Thanks alot for the help.

    PHP Code:
                        <?php
                              
    if (isset($_POST['submit'])) {
                                
    $email $_POST['email'];
                            
                                if (empty(
    $email)) {
                                  echo 
    'Please fill out all of the email information.<br />';
                                }
                              }
                            
                              if (!empty(
    $email)) {
                                if (
    filter_var($emailFILTER_VALIDATE_EMAIL)) {

                                include (
    "library/config/connection.php");
                                
    $query "INSERT INTO emails (email)  VALUES ('$email')";
                                
    mysqli_query($dbc$query)
                                  or die (
    'Data not inserted.');
                            
                                echo 
    '<span class="echo-msg">Your email has been added.</span>';
                            
                                
    mysqli_close($dbc);
                              
                                                          } else {
                            echo 
    '<span class="echo-msg">Please enter a valid email address.</span>';
                            }
                            }
                            
    ?>
    In the connection file ...

    PHP Code:
    <?php 

        $dbc 
    =     mysqli_connect('localhost''username''password''newsletter')
        or die(
    'Error connecting to MySQL server.');
        
    ?>

  6. #6
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    People won't be able to read the password, as the PHP is executed before anything is output to the browser.
    So if they try to open /library/config/connection.php, they'll just see a blank page (or an error message if the connection couldn't be made).

  7. #7
    SitePoint Member
    Join Date
    Sep 2011
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Great. Thanks alot Immerse.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •