Having contact form email and get stored in database

Basically what I am looking for is a way to have my contact form not only be sent to an email but also sent to be stored in a database.

Can this be done or can it only be one or the other?

Here is what my contact.php looks like as of right now.

<?php
// Pick up the form data and assign it to variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$city = $_POST['city'];
$state = $_POST['state'];
$hear_about = $_POST['hear_about'];
$inquiry = $_POST['inquiry'];
$address = $_POST['address'];
$message = $_POST['message'];

// Build the email (replace the address in the $to section with your own)
$to = 'dlaflair01@gmail.com';
$subject = "Submission from IPS Website: $topic";
$message = "$name Name: $first_name  $last_name\
Phone: $phone\
Email: $email\
From: $address $city, $state\
Heard from: $hear_about\
Inquiring for: $inquiry\
Message:  $message";
$headers = "From: $email";

// Send the mail using PHPs mail() function
mail($to, $subject, $message, $headers);

// Redirect
header("Location: success.html");

?>

Any help would be appreciated.

You can do both. Add the code that will save the contact form data in the database before the redirect.

Would it be something like this?

mysql_connect("localhost", "data_username", "password") or die ('Error: ' .mysql_error());
mysql_select_db ("data_basename");

$query= "INSERT INTO TestTable (ID, first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) VALUES ('NULL', '".first_name."', '".last_name."', '".phone."', '".email."', '".city."', '".state."', '".hear_about."', '".inquiry."', '".address."', '".message."')";

Sorry for dumb questions but this is my first attempt at php

Yes, something like that. Don’t forget to sanitize the user input with mysql_real_escape_string() before using them in the query.

Well here is what I came up with but it is not putting the submission in the database.

<?php
// Pick up the form data and assign it to variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$city = $_POST['city'];
$state = $_POST['state'];
$hear_about = $_POST['hear_about'];
$inquiry = $_POST['inquiry'];
$address = $_POST['address'];
$message = $_POST['message'];

// Build the email (replace the address in the $to section with your own)
$to = 'dlaflair01@gmail.com';
$subject = "Submission from IPS Website: $topic";
$message = "$name Name: $first_name  $last_name\
Phone: $phone\
Email: $email\
From: $address $city, $state\
Heard from: $hear_about\
Inquiring for: $inquiry\
Message:  $message";
$headers = "From: $email";

// Send the mail using PHPs mail() function
mail($to, $subject, $message, $headers);

mysql_connect("localhost", "mysafest_admin", "password") or die ('Error: ' .mysql_error());
mysql_select_db ("mysafest_databasename");

$query= "INSERT INTO Contact (ID, first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) VALUES ('NULL', '".first_name."', '".last_name."', '".phone."', '".email."', '".city."', '".state."', '".hear_about."', '".inquiry."', '".address."', '".message."')";

// Redirect
header("Location: success.html");

?>

Any reason why its not collecting the info?

You’re not executing the query: PHP: mysql_query - Manual

Also, there are no $ in front of the variables in the INSERT query.

Im confused by that one.

Are you saying I am missing a $ or I need one somewhere?

Looks like I needed to add it … Like this

$query= "INSERT INTO contactTable (ID, first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) VALUES ('NULL', '".$first_name."', '".$last_name."', '".$phone."', '".$email."', '".$city."', '".$state."', '".$hear_about."', '".$inquiry."', '".$address."', '".$message."')";

Here is what I have

mysql_connect("localhost", "mysafest_admin", "oliver467") or die ('Error: ' .mysql_error());
mysql_select_db ("mysafest_contact");

$query= "INSERT INTO contactTable (ID, first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) VALUES ('NULL', '".$first_name."', '".$last_name."', '".$phone."', '".$email."', '".$city."', '".$state."', '".$hear_about."', '".$inquiry."', '".$address."', '".$message."')";

mysql_query($query) or die ('Error updating database');

Something like that yeah. Still doesn’t work? What error message do you get? Or what do you see in the database?

Nothing in the database, and it is taking me to a page with “Error updating database”

Your script is highly vulnerable to both email header injection and SQL injection.

The former will let a bot use your form to spam a list of recipients they supply and the later will let an attacker destroy data in your database.

Don’t use values from $_POST as though they can be trusted. $_POST[‘email’] ends up in your email headers unfilitered, and you’re not escaping or validating any of the values that build the SQL query.

When you’re debugging, that kind of generic error message isn’t very useful, is it? :wink:
Try with

mysql_query($query) or die ('Error updating database ' . mysql_error() . ' in query ' . $query);

And don’t forget to sanitize user input before using it in the query like I said before (see post #4).

And like cranial-bore says, also sanitize the user input to prevent email header injection.

Is there any kind of tutorial that will show me the correct way to do this?

This is my first attempt at coding a form myself. I usually create them using a form maker.

I got it working with another tutorial using different php layout.

Heres what I used.

// contact to database

$connect = mysql_connect("localhost", "mysafest_admin", "MyPass") or die ("Error , check your server connection.");

mysql_select_db("mysafest_DBName");

 

//Get data in local variable

$v_first_name=$_POST['first_name'];
$v_last_name=$_POST['last_name'];
$v_phone=$_POST['phone'];
$v_email=$_POST['email'];
$v_city=$_POST['city'];
$v_state=$_POST['state'];
$v_hear_about=$_POST['hear_about'];
$v_inquiry=$_POST['inquiry'];
$v_address=$_POST['address'];
$v_message=$_POST['message'];
 

// check for null values

if ($v_email==""  or $v_message=="")

echo "All fields must be entered, hit back button and re-enter information";

else{

$query="insert into contact(first_name, last_name, phone, email, city, state, hear_about, inquiry, address, message) values('$v_first_name','$v_last_name','$v_phone','$v_email','$v_city','$v_state','$v_hear_about','$v_inquiry','$v_address','$v_message')";

mysql_query($query)  or die(mysql_error());


}

Does this one still have the security issues?

Yes. You are still using the user input ($_POST) without any validation and without sanitizing it before use in the query.

Did you take a look at mysql_real_escape_string() ?