Hi, I have a PHP script goes by the present name of verify.php is this placed within the HTML or is it called within the HTML specifically the area of a form ? I’ve done some searches on sitepoint and abroad and found most place it within the HTML but I have to ask to be sure to focus priority on the script itself.
It depends what verify.php does.
It sounds as though it verifies that a string is legal in some way, so you’d pass it a string prior to doing any computing on it.
So, given 2 php pages and a html form, here is the basic gist.
verify.php
<?php
function verify( $value ){
// implement some kind of rule - in this case the
// value must be longer than 5 chars, but it could
// do something far more serious like make sure the
// value is only valid characters
if ( strlen( $value ) > 5 ){
return true;
}
return false;
}
?>
postback.php
<?php
// include the function where you are going to need it
include 'verify.php';
if ( isset( $_POST['element'] ){
// tell it what to do, and then act upon
// the message it feeds back, true or false in this case
if ( verify($_POST['element']) ){
echo 'The submitted element was good, so do something with it';
} else {
echo 'The submitted element was not good, so abort';
}
}
?>
form.html
<form action = postback.php method=POST>
<input type=text name=element value="blah de blah" />
<input type = submit />
</form>
I only have one PHP script so therefore I assume; this would be added to the form. Something doesn’t seem right, one of those being the element value is suppose to retrieve ?
<form action = verify.php method=POST>
<input type=text name=element value="blah de blah" />
<input type = submit />
</form>
I can only do so much with guesswork. You will have to show us what verify.php contains before anyone can help you.
Oh sure.
<?php
//PHP comments use two slashes - // NOT ##
if (mysql_connect("localhost", '**********', '*********'))
{
if (mysql_select_db("*******"))
{
print 'Ok, connected';
//Make sure you change this to a field name in your form
if ($_POST['form_submitted'] == '1')
{
$activationKey = mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
$username = mysql_real_escape_string($_POST[username]);
$password = mysql_real_escape_string($_POST[password]);
$email = mysql_real_escape_string($_POST[email]);
$sql="INSERT INTO users (username, password, email, activationkey, status)
VALUES ('$username', '$password', '$email', '$activationKey', 'verify')";
('$_POST[username]', '$_POST[password]', '$_POST[email]','$activationKey', 'verify')";
//Form submitted, user must be registering
//Do something here
}
else
{
// No value found, user must be activating their account!
}
}
else
{
die(mysql_error());
}
}
else
{
die(mysql_error());
}
echo "An email has been sent to $_POST[email] with an activation key. Please check your mail to complete registration.";
##Send activation Email
$to = $_POST[email];
$subject = " YOURWEBSITE.com Registration";
$message = "Welcome to our website!\\r\\rYou, or someone using your email address, has completed registration at YOURWEBSITE.com. /rYou can complete registration by clicking the following link:\\rhttp://www.YOURWEBSITE.com/verify.php?$activationKey\\r\\rIf this is an error, ignore this email and you will be removed from our mailing list.\\r\\rRegards,\\ YOURWEBSITE.com";
$headers = 'From: noreply@ YOURWEBSITE.com' . "\\r\
" .
'Reply-To: noreply@ YOURWEBSITE.com' . "\\r\
" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
} else {
##User isn't registering, check verify code and change activation code to null, status to activated on success
$queryString = $_SERVER['QUERY_STRING'];
$query = "SELECT * FROM users";
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
if ($queryString == $row["activationkey"]){
echo "Congratulations!" . $row["username"] . " is now the proud new owner of an YOURWEBSITE.com account.";
$sql="UPDATE users SET activationkey = '', status='activated' WHERE (id = $row[id])";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
}
}
}
?>
I have a few concerns, one of them being SQL Injections, error checking for input data and if the user misspelled their password adding another password field and checking to see if the passwords match and finally masking the content in the password field for security. First getting the form to acknowledge the PHP script 
For the sql injection part you are concerned about could you not use something like the following in your verify.php script to check the variables before you query the db:
// Escape User Input to help prevent SQL Injection
$age = mysql_real_escape_string($age);
$name = mysql_real_escape_string($name);
$wpm = mysql_real_escape_string($wpm);
Obviously change variables to suits your script.
You might want to remove your mysql connection login info from the script you posted aswell.
Oh crap my SQL Login info, great. I can’t even remove it, arrrgh site point.
Before I enter that into my script, how do I get it working with the form ?
So your file verify.php actually does quite a lot of things.
connects to database, then
if a user is registering:
inserts data into your database
maybe echoes some validation/errors
sends an email
else a user is not registering
check something in your database
change something in your database
echo a message
and your original question was “How do I use this?” “Where does it get used?”.
As things stand verify.php is a “destination”, it contains things that have to be shown to the user in the way of a webpage but those things are not yet dressed up as a webpage, just text messages.
As such it should be the “action” of your html form, verify what was sent, save it and cough out messages.
Are you asking for ways of improving it?
Edit:
Change your passwords on your live server now
How do I get it working with the form so it sends out the verification email that is my first step ?
You create a form with inputs whose names match what the script is expecting.
$_POST[username]
Hence:
<input type=text name=username />
much like the form you have in post #3
By the way that POST var should be written $_POST[‘username’] <-notice the quotes
I honestly find that code utterly horrible - I am not going to look at it any longer.
My advice is that you rewrite it piece by piece until you understand what each part does - and do so on here so that someone can guide you though all of the security issues you are going to face.
If you have not understood how a HTML form relates to PHP, then a good place to start would be with a really basic html to PHP tutorial.
This looks suitable. PHP form - tutorial and articles on creating PHP forms
Create some forms which POST values to a script which simply does:
<?php
var_dump( $_POST );
?>
And have a good look at what is happening, see how you get on with that, then post here what YOU think the html form should consist of.
I honestly find that code utterly horrible - I am not going to look at it any longer.
You just said the script does alot of things, now you don’t like the script !?!?!?
<form action = postback.php method=POST>
<input type=text name=element value="blah de blah" />
<input type = submit />
</form>
I’d like to understand is the value=“” and what is placed their, is a client side script called within this value ? Did you just place postback.php as a fill in ?
He said he doesn’t like it because on some parts you take the long way around versus the straight route.
Can you rephrase the last part?
He said he doesn’t like it because on some parts you take the long way around versus the straight route.
Oh, well to each his own, I suppose !
The HTML code in post #11 has a blank value=“” property what must be in that value ?
In the formaction= cups placed a script name called postback.php was this just a fill in script name to substitute the real script name ?, or must a script called postback.php be created ? I never created a postback.php, verify.php, yes, but not postback.php.
Please read the link cup gave, it explains this… Also the code he gave was a sample- like a workflow. If you don’t understand that, maybe read http://www.tizag.com/phpT/
Alright, I’ll read the page first.
Hi, I read the two pages presented in this thread. I doubt that form is calling the PHP file by simply inserting the following code in the HTML which is all that was done in the tutorial.
<form action="verify.php" method="post">
There are three issues regarding the PHP. I would like to know if the above is all that is required or I’m missing something ?
Create a new folder in you docroot on your server.
Create 2 files, test.html and verify.php containing just the code below.
verify.php
<?php
if( isset( $_POST ) ){
var_dump($_POST);
}
else{
echo 'You failed to post to the form handler ...';
}
?>
<hr />
<a href="test.html">return to form</a>
test.html
<form action = "verify.php" method="POST">
<input type="text" name="element" value="blah de blah" />
<input type = "submit" />
</form>
Now, apply what you have learned from those tutorials posted and change test.html until you have a form which passes all of these variables to your verify.php page
username
password
email
And the reason to do that when I have a working form for the site is… to learn that is all well and good but at this stage I want to get the form that I have on the site to connect with the PHP by the name of verify.php. I did the correcting in the form, but something doesn’t add up, I’m not going to start from scratch the form on a site that is already in progress that is foolish.
Hi, I read the two pages presented in this thread. I doubt that form is calling the PHP file by simply inserting the following code in the HTML which is all that was done in the tutorial.
Well, foolish as it may sound, it is as simple as that.
The first thing to do is to make a form which posts 3 values to a spoof verify.php and check if you have done it correctly.
Once you have done that correctly you can post the values to your REAL verify.php - what results from that operation may not what be exactly what you want or expect to happen in the first instance, but you will have taken the first step, and someone else will be able to help you onto the next step.
The first thing to do is to make a form which posts 3 values to a spoof verify.php and check if you have done it correctly.
That I have done, here;
array(1) { ["element"]=> string(12) "blah de blah" }