Creating Email Forms with Required fields

[bluewaves]

I have an email form at http://www.spiritofvolunteerism.com/forms.html that inserts the user input into a database and sends the website owner an email with the submitted information.

 

It works fine, but I don't know how to make fields required.

 

I'm using a php script to insert the data into the database and process the information.

 

Part of the PHP script:

 

  $query = "INSERT INTO contacts (first_name, last_name, email, phone, fax, address, city, state, zipcode, country, sponsorship, authorization, comments) " .
    "VALUES ('$first_name', '$last_name', '$email', '$phone', '$fax', '$address', '$city', '$state', '$zipcode', '$country', '$sponsorship', '$authorization', '$comments')";

  $result = mysql_query($query)
    or die('Error querying database.');


  mysql_close($cxn);


  $to = '[email protected]';
  $subject = 'Form Results From Spirit of Volunteerism';
  $msg = "Contact From: The Spirit of Volunteerism website. \n".
     "\n".
     "Contact Information: \n".
 "\n".
 "Name:            $first_name $last_name \n".
 "Address:         $address \n".
 "City, State Zip: $city, $state  $zipcode \n".
 "Country:         $country \n".
 "\n".
 "Email:           $email \n".
 "Phone:           $phone \n".
 "Fax:             $fax \n".
 "\n".
 "Sponsorship Level: $sponsorship \n".
 "\n".
 "Authorization:     $authorization \n".
 "\n".
 "Comments:          $comments";

  mail($to, $subject, $msg, 'From:' . $email);

 

Part of the html form that doesn't work:

 

<tr>
    <td align="right"><label for="first_name" class="required">First Name:</label></td><td> <input
    type="text" name="first_name" / size="20"><br />
    </td>
  </tr>

 

I've tried that, but the form goes through anyway.

 

What else to I need to do to my script to make the fields required?  Thanks in advance.

 

(edited by kenrbnsn to remove real email address)

[WolfRage]

Like this:

<?php
if(isset(trim($_POST('first_name')))) {
    //then process the var
}
else {
    //send the user back to the form and tell them they need to fill out all of the required fields.
}
?>

Some other pointers I would like to add are:

1: Security first, make sure that you are screening all of the incoming data for malicious logic, especially with the information being inserted into a database, and the fact that you just posted that fact on the web with a url prime for attacking.

2: Perhaps you should send the email direct with out recording the information in a database?

[ashton321]

or you could use this javascript to check they are filled in

 

<!--

/***********************************************
* Required field(s) validation v1.10- By NavSurf
* Visit Nav Surf at http://navsurf.com
* Visit http://www.dynamicdrive.com/ for full source code
***********************************************/

function formCheck(formobj){
        // Enter name of mandatory fields
        var fieldRequired = Array("fname", "lname", "phone", "email", "type_work", "desc_work");
        // Enter field description to appear in the dialog box
        var fieldDescription = Array("First Name", "Last Name", "Phone Number", "E-mail", "Type of Work", "Description of Work");
        // dialog message
        var alertMsg = "Please complete the following fields:\n";

        var l_Msg = alertMsg.length;

        for (var i = 0; i < fieldRequired.length; i++){
                var obj = formobj.elements[fieldRequired[i]];
                if (obj){
                        switch(obj.type){
                        case "select-one":
                                if (obj.selectedIndex == -1 || obj.options[obj.selectedIndex].text == ""){
                                        alertMsg += " - " + fieldDescription[i] + "\n";
                                }
                                break;
                        case "select-multiple":
                                if (obj.selectedIndex == -1){
                                        alertMsg += " - " + fieldDescription[i] + "\n";
                                }
                                break;
                        case "text":
                        case "textarea":
                                if (obj.value == "" || obj.value == null){
                                        alertMsg += " - " + fieldDescription[i] + "\n";
                                }
                                break;
                        default:
                        }
                        if (obj.type == undefined){
                                var blnchecked = false;
                                for (var j = 0; j < obj.length; j++){
                                        if (obj[j].checked){
                                                blnchecked = true;
                                        }
                                }
                                if (!blnchecked){
                                        alertMsg += " - " + fieldDescription[i] + "\n";
                                }
                        }
                }
        }

        if (alertMsg.length == l_Msg){
                return true;
        }else{
                alert(alertMsg);
                return false;
        }
}
// -->

[WolfRage]

Just remember javascript can be blocked and completly shut off, if the user wishes, and if a malicious user would like they will modify the javascript to get around the checks, better to check server side, but checking client side does save you processing power.

[bluewaves]

Ok. Now...can I unpost the information?  I don't want this to be a security problem.

[bluewaves]

Well...now I have taken that script and changed it so it's not inserting into a database.  If I wanted to do that say on a different site....how would I make that secure...granted I wouldn't be posting the info like I did today.

[WolfRage]

Well I like to use htmlentites() but you have to becareful because you can not use that on things such as emails which have to have special characters. So for those I use htmlspecialchars() . When you are inserting into a database you should also use the appropreiate real escape string, like for MySQL mysql_real_escape_string(). Plus never give the fact that it is going into a database away. using htmlentites() and htmlspecialchars() also protects the email recipeint from embeded links that a malicious user would attempt to use.