Having contact form email and get stored in database

laflair13 · August 22, 2011, 1:10pm

Basically what I am looking for is a way to have my contact form not only be sent to an email but also sent to be stored in a database.

Can this be done or can it only be one or the other?

Here is what my contact.php looks like as of right now.

<?php
// Pick up the form data and assign it to variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$city = $_POST['city'];
$state = $_POST['state'];
$hear_about = $_POST['hear_about'];
$inquiry = $_POST['inquiry'];
$address = $_POST['address'];
$message = $_POST['message'];

// Build the email (replace the address in the $to section with your own)
$to = 'dlaflair01@gmail.com';
$subject = "Submission from IPS Website: $topic";
$message = "$name Name: $first_name  $last_name\
Phone: $phone\
Email: $email\
From: $address $city, $state\
Heard from: $hear_about\
Inquiring for: $inquiry\
Message:  $message";
$headers = "From: $email";

// Send the mail using PHPs mail() function
mail($to, $subject, $message, $headers);

// Redirect
header("Location: success.html");

?>

Any help would be appreciated.

DarthGuido · August 22, 2011, 1:12pm

You can do both. Add the code that will save the contact form data in the database before the redirect.

laflair13 · August 22, 2011, 1:22pm

Would it be something like this?

mysql_connect("localhost", "data_username", "password") or die ('Error: ' .mysql_error());
mysql_select_db ("data_basename");

$query= "INSERT INTO TestTable (ID, first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) VALUES ('NULL', '".first_name."', '".last_name."', '".phone."', '".email."', '".city."', '".state."', '".hear_about."', '".inquiry."', '".address."', '".message."')";

Sorry for dumb questions but this is my first attempt at php

DarthGuido · August 22, 2011, 1:50pm

Yes, something like that. Don’t forget to sanitize the user input with mysql_real_escape_string() before using them in the query.

laflair13 · August 22, 2011, 2:01pm

Well here is what I came up with but it is not putting the submission in the database.

<?php
// Pick up the form data and assign it to variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$city = $_POST['city'];
$state = $_POST['state'];
$hear_about = $_POST['hear_about'];
$inquiry = $_POST['inquiry'];
$address = $_POST['address'];
$message = $_POST['message'];

// Build the email (replace the address in the $to section with your own)
$to = 'dlaflair01@gmail.com';
$subject = "Submission from IPS Website: $topic";
$message = "$name Name: $first_name  $last_name\
Phone: $phone\
Email: $email\
From: $address $city, $state\
Heard from: $hear_about\
Inquiring for: $inquiry\
Message:  $message";
$headers = "From: $email";

// Send the mail using PHPs mail() function
mail($to, $subject, $message, $headers);

mysql_connect("localhost", "mysafest_admin", "password") or die ('Error: ' .mysql_error());
mysql_select_db ("mysafest_databasename");

$query= "INSERT INTO Contact (ID, first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) VALUES ('NULL', '".first_name."', '".last_name."', '".phone."', '".email."', '".city."', '".state."', '".hear_about."', '".inquiry."', '".address."', '".message."')";

// Redirect
header("Location: success.html");

?>

Any reason why its not collecting the info?

DarthGuido · August 22, 2011, 2:16pm

You’re not executing the query: PHP: mysql_query - Manual

DeNasio · August 22, 2011, 4:37pm

Also, there are no $ in front of the variables in the INSERT query.

laflair13 · August 22, 2011, 4:48pm

Im confused by that one.

Are you saying I am missing a $ or I need one somewhere?

Looks like I needed to add it … Like this

$query= "INSERT INTO contactTable (ID, first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) VALUES ('NULL', '".$first_name."', '".$last_name."', '".$phone."', '".$email."', '".$city."', '".$state."', '".$hear_about."', '".$inquiry."', '".$address."', '".$message."')";

Here is what I have

mysql_connect("localhost", "mysafest_admin", "oliver467") or die ('Error: ' .mysql_error());
mysql_select_db ("mysafest_contact");

$query= "INSERT INTO contactTable (ID, first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) VALUES ('NULL', '".$first_name."', '".$last_name."', '".$phone."', '".$email."', '".$city."', '".$state."', '".$hear_about."', '".$inquiry."', '".$address."', '".$message."')";

mysql_query($query) or die ('Error updating database');

DeNasio · August 22, 2011, 5:00pm

Something like that yeah. Still doesn’t work? What error message do you get? Or what do you see in the database?

laflair13 · August 22, 2011, 5:08pm

Nothing in the database, and it is taking me to a page with “Error updating database”

cranial_bore · August 22, 2011, 10:23pm

Your script is highly vulnerable to both email header injection and SQL injection.

The former will let a bot use your form to spam a list of recipients they supply and the later will let an attacker destroy data in your database.

Don’t use values from $_POST as though they can be trusted. $_POST[‘email’] ends up in your email headers unfilitered, and you’re not escaping or validating any of the values that build the SQL query.

DarthGuido · August 23, 2011, 6:35am

When you’re debugging, that kind of generic error message isn’t very useful, is it?
Try with

mysql_query($query) or die ('Error updating database ' . mysql_error() . ' in query ' . $query);

And don’t forget to sanitize user input before using it in the query like I said before (see post #4).

And like cranial-bore says, also sanitize the user input to prevent email header injection.

laflair13 · August 23, 2011, 11:45am

Is there any kind of tutorial that will show me the correct way to do this?

This is my first attempt at coding a form myself. I usually create them using a form maker.

laflair13 · August 23, 2011, 1:46pm

I got it working with another tutorial using different php layout.

Heres what I used.

// contact to database

$connect = mysql_connect("localhost", "mysafest_admin", "MyPass") or die ("Error , check your server connection.");

mysql_select_db("mysafest_DBName");

 

//Get data in local variable

$v_first_name=$_POST['first_name'];
$v_last_name=$_POST['last_name'];
$v_phone=$_POST['phone'];
$v_email=$_POST['email'];
$v_city=$_POST['city'];
$v_state=$_POST['state'];
$v_hear_about=$_POST['hear_about'];
$v_inquiry=$_POST['inquiry'];
$v_address=$_POST['address'];
$v_message=$_POST['message'];
 

// check for null values

if ($v_email==""  or $v_message=="")

echo "All fields must be entered, hit back button and re-enter information";

else{

$query="insert into contact(first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) values('$v_first_name','$v_last_name','$v_phone','$v_email','$v_city','$v_state','$v_hear_about','$v_inquiry','$v_address','$v_message')";

mysql_query($query)  or die(mysql_error());


}

Does this one still have the security issues?

DarthGuido · August 23, 2011, 2:10pm

Yes. You are still using the user input ($_POST) without any validation and without sanitizing it before use in the query.

Did you take a look at mysql_real_escape_string() ?