enhanced08 Posted April 1, 2010 Share Posted April 1, 2010 what i have is a database setup for users to submit an email address for a mailing list. i want to be able to verify that an email has been entered rather than blank text, that it is in the correct format and that it is not already in the database. i used some code i found online and tried to modify it to fit my needs but am having problems. i know its a simple solution but its been about 5 years since i did any php work, and i wasnt very good back then. help, please? $db_user="*********"; $db_pass="**************"; $database="************"; $host="*******************"; $email=$_POST['email']; $email=strtolower($email); $error='';//initialize $error to blank mysql_connect($host, $db_user, $db_pass); @mysql_select_db($database) or die( "Unable to select database"); if(trim($_POST)==''){ $error.="An email address is required!<br />"; } else { $query="SELECT * FROM mailing_list WHERE email='$email'"; $result=mysql_query($query); if($result=='$email') { $error="Your email address is already in our database."; } else { if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $_POST)) { $error="<p>The e-mail you entered was not in the proper format!<br><br> Try again.<br> <form action=mailing_list_add.php method=post accept-charset=utf-8> <table border=0 cellspacing=2 cellpadding=0> <tr><th>Email</th><td><input type=text name=email class=text></td></tr> </td></tr> <tr><td class=submission colspan=2><input type=submit name=s value=Submit></td></tr> </table> </form>"; } } } if($error==''){//Hmmmm no text is in $error so do something else, the page has verified and the email was valid // so uncomment the line below to send the user to your own success page or wherever (swap yourpage.php with your files location). { $query="INSERT INTO mailing_list VALUES ('','$email')"; mysql_query($query); mysql_close(); } echo "<script type=\"text/javascript\"> window.location = \"thankyou2.htm\"</script>"; } else{ echo "<span style=color:red>$error</span>"; } ?> Quote Link to comment Share on other sites More sharing options...
oni-kun Posted April 1, 2010 Share Posted April 1, 2010 Eregi is depricated in place of the PERL compatible preg_replace. preg_match('/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/', $_POST['email']); Should suffice. Quote Link to comment Share on other sites More sharing options...
the182guy Posted April 1, 2010 Share Posted April 1, 2010 This won't work: $query="SELECT * FROM mailing_list WHERE email='$email'"; $result=mysql_query($query); if($result=='$email') { For SELECT queries mysql_query() returns a resource which you use to fetch data with mysql_fetch_assoc() or similar. For simply checking if an email address exists it's more efficient to use a SELECT COUNT() query rather than selecting the entire row of data. The code looks a bit messy, try and keep the HTML and PHP seperate - there is no need to use javascript to redirect the user to another page, PHP can do it. Why not seperate the email exists code into a function so that the code is a bit easier to read and debug? Quote Link to comment Share on other sites More sharing options...
Deoctor Posted April 1, 2010 Share Posted April 1, 2010 this $query="SELECT * FROM mailing_list WHERE email='$email'"; $result=mysql_query($query); if($result=='$email') { should be of some thing like this $query=mysql_query("SELECT email FROM mailing_list WHERE email='$email'"); $result=mysql_result($query,0); if($result=='$email') { for email validation u can check it by this method too. <script language = "Javascript"> function echeck(str) { var at="@" var dot="." var lat=str.indexOf(at) var lstr=str.length var ldot=str.indexOf(dot) if (str.indexOf(at)==-1){ alert("Invalid E-mail ID") return false } if (str.indexOf(at)==-1 || str.indexOf(at)==0 || str.indexOf(at)==lstr){ alert("Invalid E-mail ID") return false } if (str.indexOf(dot)==-1 || str.indexOf(dot)==0 || str.indexOf(dot)==lstr){ alert("Invalid E-mail ID") return false } if (str.indexOf(at,(lat+1))!=-1){ alert("Invalid E-mail ID") return false } if (str.substring(lat-1,lat)==dot || str.substring(lat+1,lat+2)==dot){ alert("Invalid E-mail ID") return false } if (str.indexOf(dot,(lat+2))==-1){ alert("Invalid E-mail ID") return false } if (str.indexOf(" ")!=-1){ alert("Invalid E-mail ID") return false } return true } function ValidateForm(){ var emailID=document.frmSample.txtEmail if ((emailID.value==null)||(emailID.value=="")){ alert("Please Enter your Email ID") emailID.focus() return false } if (echeck(emailID.value)==false){ emailID.value="" emailID.focus() return false } return true } </script> <form name="frmSample" method="post" action="#" onSubmit="return ValidateForm()"> <p>Enter an Email Address : <input type="text" name="txtEmail"> </p> <p> <input type="submit" name="Submit" value="Submit"> </p> </form> Quote Link to comment Share on other sites More sharing options...
Axeia Posted April 1, 2010 Share Posted April 1, 2010 If you have a recent version of PHP there is the following nice filter_var function available (PHP >= 5.2.0) if( filter_var( $email, FILTER_VALIDATE_EMAIL ) !== false ) And this by the way is like saying "Please hack me". $email=$_POST['email']; $query="SELECT * FROM mailing_list WHERE email='$email'"; $query="INSERT INTO mailing_list VALUES ('','$email')"; $_POST = user data = used directly in a query = you're going to get hacked. Please read up on SQL Injection. In short, if you don't get data from a trusted source use mysql_real_escape() .. or be paranoid and always used mysql_real_escape(), as the saying goes, Better safe than sorry! Quote Link to comment Share on other sites More sharing options...
oni-kun Posted April 1, 2010 Share Posted April 1, 2010 Please read up on SQL Injection. In short, if you don't get data from a trusted source use mysql_real_escape() .. or be paranoid and always used mysql_real_escape(), as the saying goes, Better safe than sorry! mysql_real_escape_string? Quote Link to comment Share on other sites More sharing options...
enhanced08 Posted April 1, 2010 Author Share Posted April 1, 2010 Eregi is depricated in place of the PERL compatible preg_replace. preg_match('/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/', $_POST['email']); Should suffice. Made the change, thanks. I did see on php.net that eregi was depricated but I did not write the code and was not sure what to use in place of it. this $query="SELECT * FROM mailing_list WHERE email='$email'"; $result=mysql_query($query); if($result=='$email') { should be of some thing like this $query=mysql_query("SELECT email FROM mailing_list WHERE email='$email'"); $result=mysql_result($query,0); if($result=='$email') { I get an error with this. If I remove the 0 then it works but will not check the database for matches. And this by the way is like saying "Please hack me". $email=$_POST['email']; $query="SELECT * FROM mailing_list WHERE email='$email'"; $query="INSERT INTO mailing_list VALUES ('','$email')"; $_POST = user data = used directly in a query = you're going to get hacked. Please read up on SQL Injection. In short, if you don't get data from a trusted source use mysql_real_escape() .. or be paranoid and always used mysql_real_escape(), as the saying goes, Better safe than sorry! WOW! I had no idea, thats good to know. thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.