Basic feedback form with data saved to a database

[spacepoet]

Hi.

 

Can someone show me the proper way to do a feedback form (like a "Contact US" form).

I have read about SQL injections and would like to know I am protecting against it.

 

And the proper way to store the submitted data in a database for a client's records.

 

I have a basic form I use, but I am unable to store the data properly.

 

Any help or a code idea would be appreciated.

 

Thanks much.

[dawsba]

what kind of database ? mysql??

have you already a structure if so can u display here?

[jcbones]

Sure:

 

<?php //<- open a php script.
$error = NULL; //<- set our errors to NULL.
$name = NULL; //<- set name to NULL.
$email = NULL; //<- set email to NULL.
$comment = NULL; //<-set comment to NULL.
if(isset($_POST['submit'])) { //<- check if submit button has been clicked.
  include('database_connection.php'); //<- include our connection details for database interaction.
$name = $_POST['name']; //<- set name input to a variable.
$email = $_POST['email']; //<- set email input to a variable.
$comment = $_POST['comment']; //<- set textbox to variable.
if(empty($name)) { //<- if name is empty.
   $error .= '--Must have a name. <br />'; //<-this is the error message.
}
if(empty($email) || preg_match('~^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$~',$email)) { //<- if email is empty, or doesn't follow the expression.
  $error .= '--Must have a valid email address. <br />'; //<- this is the error message.
}
if(empty($comment)) { //<- if the textbox is empty.
  $error .= '--Must leave a comment. <br />'; //<- this is the error.
}
if($error == NULL) { //<- if there are no error messages.
  $sql = sprintf("INSERT INTO feedback(name,email,comment) VALUES ('%s','%s','%s')", //<-database structure must be right.
                        mysql_real_escape_string($name),
                        mysql_real_escape_string($email),
                        mysql_real_escape_string($comment)); //<- Build the query.
  if(mysql_query($sql)) { //<- if the query is accepted by the database.
    $error .= 'Thank you for your comment!'; //<- this is the message.
  }
  else {
    $error .= 'There was an error in our Database, please Try again!'; //<- if not, this is.
  }
}
}

echo $error; //<- print errors to the screen. (will also print if the database interaction was successful or not).
?>

<form action="" method="post">
<label for="name">Name: <input type="text" name="name" value="<?php echo $name; ?>" /></label><br />
<label for="email">Email: <input type="text" name="email" value="<?php echo $email; ?>" /></label><br />
<label for="comment">Comment: </label><br />
<textarea name="comment" cols="40" rows="10"><?php echo $comment; ?></textarea>
<input type="submit" name="submit" value=" Submit " />
</form>

[dawsba]

<?php 
unset($error,$name,$email,$comment);
if(isset($_POST['submit'])) //<- check if submit button has been clicked.
{ 
  include('database_connection.php'); //<- include our connection details for database interaction.
  $name		= $_POST['name']; //<- set name input to a variable.
  $email 	= $_POST['email']; //<- set email input to a variable.
  $comment 	= $_POST['comment']; //<- set textbox to variable.
  if(empty($name)){$error .= '--Must have a name. <br />';}
  $estr = '~^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$~';
  if(empty($email)||preg_match($estr,$email)){$error .= '--Must have a valid email address. <br />';}
  if(empty($comment)){$error .= '--Must leave a comment. <br />';}
  if(!isset($error))  //<- if there are no error messages.
  {
    $sql = sprintf("INSERT INTO `feedback` (`name`,`email`,`comment`)VALUES('%s','%s','%s')",
                        mysql_real_escape_string($name),
                        mysql_real_escape_string($email),
                        mysql_real_escape_string($comment));
    if(mysql_query($sql)){$error .= 'Thank you for your comment!';}
    else{$error .= 'There was an error in our Database, please Try again!';}
  }
  else{echo $error;}
}
?>

<form action="" method="post" enctype="multipart/form-data">
  <label for="name">Name: <input type="text" name="name" value="<?php echo $name; ?>" /></label><br />
  <label for="email">Email: <input type="text" name="email" value="<?php echo $email; ?>" /></label><br />
  <label for="comment">Comment: </label><br />
  <textarea name="comment" cols="40" rows="10"><?php echo $comment; ?></textarea>
  <input type="submit" name="submit" value=" Submit " />
</form>

 

how does this get on?

[spacepoet]

Hello to all:

 

Thanks very much for posting the code examples and showing me this.

 

I will work on this and see how I make out.

 

I know I have a mySQL database set-up - it works fine for a basic CMS I did with help off of here, so I assume I just need to make a new table for the form data.

 

I am new to using mySQL as well (I use to use Access), so I am trying to understand all the controls. I assume it is along the lines of defining data types that I did with ASP and Access. Just don't know if there are any "loopholes" I need to watch out for.

 

Regardless, thanks much and I will let you know.

 

Thanks!