bluewaves Posted March 21, 2009 Share Posted March 21, 2009 I have an email form at http://www.spiritofvolunteerism.com/forms.html that inserts the user input into a database and sends the website owner an email with the submitted information. It works fine, but I don't know how to make fields required. I'm using a php script to insert the data into the database and process the information. Part of the PHP script: $query = "INSERT INTO contacts (first_name, last_name, email, phone, fax, address, city, state, zipcode, country, sponsorship, authorization, comments) " . "VALUES ('$first_name', '$last_name', '$email', '$phone', '$fax', '$address', '$city', '$state', '$zipcode', '$country', '$sponsorship', '$authorization', '$comments')"; $result = mysql_query($query) or die('Error querying database.'); mysql_close($cxn); $to = 'nobody@norealaddress.here'; $subject = 'Form Results From Spirit of Volunteerism'; $msg = "Contact From: The Spirit of Volunteerism website. \n". "\n". "Contact Information: \n". "\n". "Name: $first_name $last_name \n". "Address: $address \n". "City, State Zip: $city, $state $zipcode \n". "Country: $country \n". "\n". "Email: $email \n". "Phone: $phone \n". "Fax: $fax \n". "\n". "Sponsorship Level: $sponsorship \n". "\n". "Authorization: $authorization \n". "\n". "Comments: $comments"; mail($to, $subject, $msg, 'From:' . $email); Part of the html form that doesn't work: <tr> <td align="right"><label for="first_name" class="required">First Name:</label></td><td> <input type="text" name="first_name" / size="20"><br /> </td> </tr> I've tried that, but the form goes through anyway. What else to I need to do to my script to make the fields required? Thanks in advance. (edited by kenrbnsn to remove real email address) Quote Link to comment Share on other sites More sharing options...
WolfRage Posted March 21, 2009 Share Posted March 21, 2009 Like this: <?php if(isset(trim($_POST('first_name')))) { //then process the var } else { //send the user back to the form and tell them they need to fill out all of the required fields. } ?> Some other pointers I would like to add are: 1: Security first, make sure that you are screening all of the incoming data for malicious logic, especially with the information being inserted into a database, and the fact that you just posted that fact on the web with a url prime for attacking. 2: Perhaps you should send the email direct with out recording the information in a database? Quote Link to comment Share on other sites More sharing options...
ashton321 Posted March 21, 2009 Share Posted March 21, 2009 or you could use this javascript to check they are filled in <!-- /*********************************************** * Required field(s) validation v1.10- By NavSurf * Visit Nav Surf at http://navsurf.com * Visit http://www.dynamicdrive.com/ for full source code ***********************************************/ function formCheck(formobj){ // Enter name of mandatory fields var fieldRequired = Array("fname", "lname", "phone", "email", "type_work", "desc_work"); // Enter field description to appear in the dialog box var fieldDescription = Array("First Name", "Last Name", "Phone Number", "E-mail", "Type of Work", "Description of Work"); // dialog message var alertMsg = "Please complete the following fields:\n"; var l_Msg = alertMsg.length; for (var i = 0; i < fieldRequired.length; i++){ var obj = formobj.elements[fieldRequired[i]]; if (obj){ switch(obj.type){ case "select-one": if (obj.selectedIndex == -1 || obj.options[obj.selectedIndex].text == ""){ alertMsg += " - " + fieldDescription[i] + "\n"; } break; case "select-multiple": if (obj.selectedIndex == -1){ alertMsg += " - " + fieldDescription[i] + "\n"; } break; case "text": case "textarea": if (obj.value == "" || obj.value == null){ alertMsg += " - " + fieldDescription[i] + "\n"; } break; default: } if (obj.type == undefined){ var blnchecked = false; for (var j = 0; j < obj.length; j++){ if (obj[j].checked){ blnchecked = true; } } if (!blnchecked){ alertMsg += " - " + fieldDescription[i] + "\n"; } } } } if (alertMsg.length == l_Msg){ return true; }else{ alert(alertMsg); return false; } } // --> Quote Link to comment Share on other sites More sharing options...
WolfRage Posted March 21, 2009 Share Posted March 21, 2009 Just remember javascript can be blocked and completly shut off, if the user wishes, and if a malicious user would like they will modify the javascript to get around the checks, better to check server side, but checking client side does save you processing power. Quote Link to comment Share on other sites More sharing options...
bluewaves Posted March 21, 2009 Author Share Posted March 21, 2009 Ok. Now...can I unpost the information? I don't want this to be a security problem. Quote Link to comment Share on other sites More sharing options...
bluewaves Posted March 21, 2009 Author Share Posted March 21, 2009 Well...now I have taken that script and changed it so it's not inserting into a database. If I wanted to do that say on a different site....how would I make that secure...granted I wouldn't be posting the info like I did today. Quote Link to comment Share on other sites More sharing options...
WolfRage Posted March 21, 2009 Share Posted March 21, 2009 Well I like to use htmlentites() but you have to becareful because you can not use that on things such as emails which have to have special characters. So for those I use htmlspecialchars() . When you are inserting into a database you should also use the appropreiate real escape string, like for MySQL mysql_real_escape_string(). Plus never give the fact that it is going into a database away. using htmlentites() and htmlspecialchars() also protects the email recipeint from embeded links that a malicious user would attempt to use. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.