RE: PHP / MySQL HAS SOMETHING THROWING IT ALL OFF - 05.17.11

mrjap1 · May 17, 2011

Hello,

There is something I may have over looked in my php that is causing these problems...

I am almost there.

Currently, my html form once processed by my "process_myform.php" placed the users info

into the database, sends me an e-mail, and displayed my thank you page.

This is what its doing and I am indeed happy about this part.

HOWEVER, my "process_myform.php" that I created, has a BIG PROBLEM. Once processed, it is CURRENTLY giving me multiple blank replies to both my e-mail box and database in addition to that placing the correct 1 user info that I filled out with my html form.

Also I would like to have the date and time do be displayed within the database for the my "$registration_date" variable.... how do i accomplish this? Right now in the database it just shows a bunch of zeros.

Could someone look at my code and tell me what I am doing wrong?

Here is my html & php form processing code below. I KNOW is did or did not do something wrong to throw this all off... not sure what it is.

Thank you for your help.

mrjap1


======================= MY HTML FORM  CODE ==============================


<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Untitled Document</title>
</head>

<body>
<form action="process_myform.php" method="post">

<p>
<!-- FIRST NAME -->

<label>First Name:</label>
<input name="first_name" type="text" size="15" maxlength="50" tabindex="10" id="first_name">
<!-- LAST NAME -->
<label>Last Name:</label>
<input name="last_name" type="text" size="15" maxlength="50" tabindex="20" id="last_name">
</p>
<!-- ADDRESS-->

<label>Address:</label>
<input name="address" type="text" size="15" maxlength="50" tabindex="30" id="address">
</p>

<p>
<!-- EMAIL -->
<label>E-mail:</label>
<input name="email" type="text" size="15" maxlength="50" tabindex="40">
<!-- ZIP CODE -->
<label>Zip Code:</label>
<input name="zip_code" type="text" size="15" maxlength="50" tabindex="50">
</p>
<br />
<input name="submit" type="image" value="SUBMIT FORM" src="submit_btn.png" alt="submit button" align="middle">

</form>
</body>
</html>

=================== MY PHP  FORM PROCESSING CODE =======================

<?php
// 1. Create a database connection
$con = mysql_connect("localhost","forms","itismyway");
if (!$con) {
  die('Database connection failed could not connect: ' . mysql_error());
  }
  
// 2. Select a database to use
$db_select = mysql_select_db("mydatainsert",$con);
if (!$db_select) {
  die('Database selection failed could not connect: ' . mysql_error());
}

mysql_select_db("mydatainsert", $con);

$sql="INSERT INTO `mydatainsert`.`gangland` (
`id` ,
`first_name` ,
`last_name` ,
`address` ,
`zip` ,
`email` ,
`registration_date`
)
VALUES
('NULL','$_POST[first_name]','$_POST[last_name]','$_POST[address]',
'$_POST[zip_code]','$_POST[email]','$_POST[registration_date]', "; // I WOULD LIKE THE DATE AND TIME TO BE IN THE DATABASE FOR THE "REGISTRATION_DATE".

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
//echo "1 record added";


// some code

// 3. Close Connection

mysql_close($con);
?>


<?php 

// ALL THE SUBJECT and EMAIL VARIABLES

$emailSubject = 'MY TEST EMAIL SCRIPTING!!! ';
$webMaster = '[email protected]';



// GATHERING the FORM DATA VARIABLES


$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$address = $_POST['address'];
$email = $_POST['email'];
$zip_code = $_POST['zip_code'];
$date = date ("l, F jS, Y");
        $time = date ("h:i A");



$body = <<<EOD
<br /><hr><br />
<strong>First Name:</strong> $first_name <br />
<strong>Last Name: </strong>$last_name <br />
<strong>Email:</strong> $email <br />
<strong>Zip Code:</strong> $zip_code <br />
<strong>Registration Date:</strong> $date at $time <br />
EOD;


// THIS SHOW ALL E-MAILED DATA, ONCE IN THE E-MAILBOX AS READABLE HTML

$headers = "From: $email\r\n";
$headers .= "Content-type: text/html\r\n";
$success = mail($webMaster, $emailSubject, $body, $headers);


// THE RESULTS OF THE FORM RENDERED AS PURE HTML 

$theResults = <<<EOD
<!DOCTYPE HTML>
<html lang="en">
<head>
<style type="text/css">
body {
font-family:Arial, Helvetica, sans-serif;
font-size:11px;
font-weight:bold;
}

#thankyou_block {
width: 400px;
height: 250px;
text-align:center;
border: 1px solid #666;
padding: 5px;
background-color: #0CF;
border-radius:8px;
-webkit-border-radius:8px;
-moz-border-radius:8px;
-opera-border-radius:8px;
-khtml-border-radius:8px;
box-shadow:0px 0px 10px #000;
-webkit-box-shadow: 0px 0px 10px #000;
-moz-box-shadow: 0px 0px 10px #000;
-o-box-shadow: 0px 0px 10px #000;
margin: 25px auto;
}

p {
font-family: Arial, Helvetica, sans-serif;
font-size: 14px;
line-height: 18px;
letter-spacing:1px;
color: #333;
}

</style>
<meta charset="UTF-8">
<title>THANK YOU!!!</title>
</head>

<body>

<div id="thankyou_block">
<br><br><br>
<h1>CONGRATULATIONS!!</h1>
<h2>YOUR FORM HAS BEEN PROCESSED!!!</h2>
<p>You are now registered in our Database...<br>
we will get back to you very shortly.<br>
Please have a very wondeful day.</p>

</div>
</body>
</html>

EOD;
echo "$theResults"; 



?>

fugix · May 17, 2011

is your date field in you database using the DATE format? if so, the format that you will need to use is YYYY-MM-DD

Pikachu2000 · May 17, 2011

You aren't even checking to see if the form has been submitted before allowing the INSERT query to run, so you're going to get a blank email and database record every time the page is accessed.

You aren't validating the form data and rejecting the form submission if the farm doesn't validate.

You aren't escaping the incoming form data, and therefore you are wide open to SQL injection attack.

You aren't doing anything to prevent header injection, thus leaving your mail form open to abuse by spammers.

mrjap1 · May 17, 2011

Hello,

WOW!! Thank you all for your quick response... I am very,very new to PHP. So all of this way over my head. All of the security issues with respect to my form that you mentioned I was totally unaware of. Thank you... with that said, I am pretty stuck. That is why I asked in general, I am no guru.

Now as it stands right now I have NO idea how to do ANY of the following:

(1) Checking to see if the form has been submitted before allowing the INSERT query to run.

(2) Validating the form data and rejecting the form submission if the form doesn't validate.

(3) Escaping the incoming form data, and therefore I am wide open to SQL injection attack.

(4) How to prevent header injection, thus leaving my mail form open to abuse by spammers.

Based on my existing code, could please you show me example(s) of how to do all theses things?

I have never done this before.

I want to know if I am using the " NOW() " in my MySQL code properly to insert the current date and time.

Thank you very kindly for your help.


mysql_select_db("mydatainsert", $con);

$sql="INSERT INTO `mydatainsert`.`gangland` (
`id` ,
`first_name` ,
`last_name` ,
`address` ,
`zip` ,
`email` ,
`registration_date`
)
VALUES
('NULL','$_POST[first_name]','$_POST[last_name]','$_POST[address]',
'$_POST[zip_code]','$_POST[email]','$_POST[registration_date]', NOW())"; // I WOULD LIKE THE DATE AND TIME TO BE IN THE DATABASE FOR THE "REGISTRATION_DATE".

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
//echo "1 record added";


// some code

// 3. Close Connection

mysql_close($con);
?>

thx

mrjap1

Sign In

RE: PHP / MySQL HAS SOMETHING THROWING IT ALL OFF - 05.17.11

Recommended Posts

mrjap1

Link to comment

Share on other sites

fugix

Link to comment

Share on other sites

Pikachu2000

Link to comment

Share on other sites

mrjap1

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information