dflow Posted May 13, 2011 Share Posted May 13, 2011 i have a contact form with some valdition conditions the action should send an email and insert a query into the db recently i noticed that some of the contact forms filled send emails only and no insert how should i find the cause of the problem?? what can it be??? //insert code mysql_query("SET NAMES 'utf8'"); mysql_select_db($database_international, $international); // check which button was clicked // perform calculation $DepartureDate=$_POST['fromdate']; $ReturnDate=$_POST['todate']; $num_nights=$_POST['num_nights']; $num_nights= stripslashes($num_nights); $DepartureDate = stripslashes($DepartureDate); // sql inject clean $regex = "/[A-Z]/"; $DATETIME = date("Y-m-j"); $TotalNumber=$_POST['TotalNumberAdults']+$_POST['TotalNumberChildren']; if (empty($_POST['Main']) && !empty($_POST['CustomerEmail']) && !preg_match("/http/i",$_POST['RequestText']) && !preg_match($regex, $DepartureDate) && !preg_match("/http/i",$_POST['CustomerCellphone'])&& !preg_match("/http/i",$_POST['CustomerHomephone']) && !preg_match($regex, $num_nights)){ $query=mysql_query("INSERT INTO contact_form(CustomerLastName,CustomerFirstName_heb,CustomerEmail,CustomerCellphone,CustomerHomePhone,CategoryID,CountryID,CityID,RegionID,TotalNumber,TotalNumberAdults,TotalNumberChildren,children_ages,RequestText,DepartureDate,ReturnDate,num_nights,FlightsRequired,CarRentalRequired,StatusID,DATETIME,Newsletter,Contact_Method) VALUES('$_POST[CustomerLastName]','$_POST[CustomerFirstName_heb]','$_POST[CustomerEmail]','$_POST[CustomerCellphone]','$_POST[CustomerHomePhone]','$_POST[CatID]','$_POST[CountryID]','$_POST[CityID]','$_POST[RegionID]','$TotalNumber','$_POST[TotalNumberAdults]','$_POST[TotalNumberChildren]','$_POST[children_ages]','$_POST[RequestText]','$_POST[fromdate]','$_POST[todate]','$_POST[num_nights]','$_POST[FlightsRequired]','$_POST[CarRentalRequired]','$_POST[statusID]','$DATETIME','$_POST[Newsletter]','$_POST[Contact_Method]') "); //email code if (empty($_POST['Main']) && !empty($_POST['CustomerEmail']) && !preg_match("/http/i",$_POST['RequestText']) && !preg_match($regex, $DepartureDate) && !preg_match("/http/i",$_POST['CustomerCellphone'])&& !preg_match("/http/i",$_POST['CustomerHomephone']) && !preg_match($regex, $num_nights)) { // if (!preg_match($regex, $DepartureDate)) mail($to, $subject, $message, $headers); $url_success = "confirmation.php"; //header("Location: {$url_success}"); echo("<meta http-equiv = refresh content=0;url=".$url_success.">"); } :wtf: Quote Link to comment Share on other sites More sharing options...
requinix Posted May 14, 2011 Share Posted May 14, 2011 If any of those $_POST values have an apostrophe then your query will fail. Use mysql_real_escape_string anytime you put a user-entered value into a query. It'll ensure your query works and even prevent Bad Things from happening. Quote Link to comment Share on other sites More sharing options...
dflow Posted May 14, 2011 Author Share Posted May 14, 2011 If any of those $_POST values have an apostrophe then your query will fail. Use mysql_real_escape_string anytime you put a user-entered value into a query. It'll ensure your query works and even prevent Bad Things from happening. thanks where should i place it? Quote Link to comment Share on other sites More sharing options...
jcbones Posted May 14, 2011 Share Posted May 14, 2011 I would look at my database table and make sure I didn't have any unique keys that were causing duplicates to be dropped. I would then step in and sanitize, and validate the code so that I wouldn't get a compromised database. It is wide open to injection attacks. I would then move the email code into the same if statement as the database code, and only run it if the query is successful. Returning a failed response to the user, if the database query fails. //insert code mysql_query("SET NAMES 'utf8'"); mysql_select_db($database_international, $international); // check which button was clicked // perform calculation $DepartureDate=$_POST['fromdate']; $ReturnDate=$_POST['todate']; $num_nights=$_POST['num_nights']; $num_nights= stripslashes($num_nights); $DepartureDate = stripslashes($DepartureDate); // sql inject clean $regex = "/[A-Z]/"; $DATETIME = date("Y-m-j"); $TotalNumber=$_POST['TotalNumberAdults']+$_POST['TotalNumberChildren']; if (empty($_POST['Main']) && !empty($_POST['CustomerEmail']) && !preg_match("/http/i",$_POST['RequestText']) && !preg_match($regex, $DepartureDate) && !preg_match("/http/i",$_POST['CustomerCellphone'])&& !preg_match("/http/i",$_POST['CustomerHomephone']) && !preg_match($regex, $num_nights)){ $query = sprintf("INSERT INTO contact_form(CustomerLastName,CustomerFirstName_heb,CustomerEmail,CustomerCellphone,CustomerHomePhone,CategoryID,CountryID,CityID,RegionID,TotalNumber,TotalNumberAdults,TotalNumberChildren,children_ages,RequestText,DepartureDate,ReturnDate,num_nights,FlightsRequired,CarRentalRequired,StatusID,DATETIME,Newsletter,Contact_Method) VALUES('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", mysql_real_escape_string($_POST['CustomerLastName']), mysql_real_escape_string($_POST['CustomerFirstName_heb']), mysql_real_escape_string($_POST['CustomerEmail']), mysql_real_escape_string($_POST['CustomerCellphone']), mysql_real_escape_string($_POST['CustomerHomePhone']), mysql_real_escape_string($_POST['CatID']), mysql_real_escape_string($_POST['CountryID']), mysql_real_escape_string($_POST['CityID']), mysql_real_escape_string($_POST['RegionID']), mysql_real_escape_string($TotalNumber), mysql_real_escape_string($_POST['TotalNumberAdults']), mysql_real_escape_string($_POST['TotalNumberChildren']), mysql_real_escape_string($_POST['children_ages']), mysql_real_escape_string($_POST['RequestText']), mysql_real_escape_string($_POST['fromdate']), mysql_real_escape_string($_POST['todate']), mysql_real_escape_string($_POST['num_nights']), mysql_real_escape_string($_POST['FlightsRequired']), mysql_real_escape_string($_POST['CarRentalRequired']), mysql_real_escape_string($_POST['StatusID']), mysql_real_escape_string($DATETIME), mysql_real_escape_string($_POST['Newsletter']), mysql_real_escape_string($_POST['Contact_Method'])); //email code if(mysql_query($query)) { if(mail($to, $subject, $message, $headers) { $url_success = "confirmation.php"; echo("<meta http-equiv = refresh content=0;url=".$url_success.">"); } else { echo 'Mail failed!'; } } else { echo 'Database insert failed!'; } } Quote Link to comment Share on other sites More sharing options...
dflow Posted May 14, 2011 Author Share Posted May 14, 2011 I would look at my database table and make sure I didn't have any unique keys that were causing duplicates to be dropped. I would then step in and sanitize, and validate the code so that I wouldn't get a compromised database. It is wide open to injection attacks. I would then move the email code into the same if statement as the database code, and only run it if the query is successful. Returning a failed response to the user, if the database query fails. //insert code mysql_query("SET NAMES 'utf8'"); mysql_select_db($database_international, $international); // check which button was clicked // perform calculation $DepartureDate=$_POST['fromdate']; $ReturnDate=$_POST['todate']; $num_nights=$_POST['num_nights']; $num_nights= stripslashes($num_nights); $DepartureDate = stripslashes($DepartureDate); // sql inject clean $regex = "/[A-Z]/"; $DATETIME = date("Y-m-j"); $TotalNumber=$_POST['TotalNumberAdults']+$_POST['TotalNumberChildren']; if (empty($_POST['Main']) && !empty($_POST['CustomerEmail']) && !preg_match("/http/i",$_POST['RequestText']) && !preg_match($regex, $DepartureDate) && !preg_match("/http/i",$_POST['CustomerCellphone'])&& !preg_match("/http/i",$_POST['CustomerHomephone']) && !preg_match($regex, $num_nights)){ $query = sprintf("INSERT INTO contact_form(CustomerLastName,CustomerFirstName_heb,CustomerEmail,CustomerCellphone,CustomerHomePhone,CategoryID,CountryID,CityID,RegionID,TotalNumber,TotalNumberAdults,TotalNumberChildren,children_ages,RequestText,DepartureDate,ReturnDate,num_nights,FlightsRequired,CarRentalRequired,StatusID,DATETIME,Newsletter,Contact_Method) VALUES('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", mysql_real_escape_string($_POST['CustomerLastName']), mysql_real_escape_string($_POST['CustomerFirstName_heb']), mysql_real_escape_string($_POST['CustomerEmail']), mysql_real_escape_string($_POST['CustomerCellphone']), mysql_real_escape_string($_POST['CustomerHomePhone']), mysql_real_escape_string($_POST['CatID']), mysql_real_escape_string($_POST['CountryID']), mysql_real_escape_string($_POST['CityID']), mysql_real_escape_string($_POST['RegionID']), mysql_real_escape_string($TotalNumber), mysql_real_escape_string($_POST['TotalNumberAdults']), mysql_real_escape_string($_POST['TotalNumberChildren']), mysql_real_escape_string($_POST['children_ages']), mysql_real_escape_string($_POST['RequestText']), mysql_real_escape_string($_POST['fromdate']), mysql_real_escape_string($_POST['todate']), mysql_real_escape_string($_POST['num_nights']), mysql_real_escape_string($_POST['FlightsRequired']), mysql_real_escape_string($_POST['CarRentalRequired']), mysql_real_escape_string($_POST['StatusID']), mysql_real_escape_string($DATETIME), mysql_real_escape_string($_POST['Newsletter']), mysql_real_escape_string($_POST['Contact_Method'])); //email code if(mysql_query($query)) { if(mail($to, $subject, $message, $headers) { $url_success = "confirmation.php"; echo("<meta http-equiv = refresh content=0;url=".$url_success.">"); } else { echo 'Mail failed!'; } } else { echo 'Database insert failed!'; } } thanks getting error on this line: Parse error: syntax error, unexpected '{' in contact-m.php on line 1218 if(mysql_query($query)) { 1218 if(mail($to, $subject, $message, $headers) { Quote Link to comment Share on other sites More sharing options...
trq Posted May 14, 2011 Share Posted May 14, 2011 Your missing a ) Quote Link to comment Share on other sites More sharing options...
dflow Posted May 14, 2011 Author Share Posted May 14, 2011 Your missing a ) thanks now any idea why the mail() isnt executed? Quote Link to comment Share on other sites More sharing options...
jcbones Posted May 15, 2011 Share Posted May 15, 2011 Your best bet is to contact your host. They will have access to the SMTP error logs, and could help you much faster than we could. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.