User Contact Info - Mailto: , Form , Php ?

[markschum]

I am adding a page to a website for some items for sale and need to provide a way for the viewer to enter an email address and some comments and submit that for action.

 

I thought there was an HTML command that put the info to a flat file but I cant find anything current.

Mailto: seems to have a lot of people saying dont use it . I can use PHP easily enough.

 

 

Does anyone have comments in what approach to take ?

 

Does PHP have any issues with record or file locking if I just add to a flat file ?

 

 

thanks

[Maq]

It's a bit blurry for what you're trying to do. Do you want this info emailed to you or do you simply want to keep a list?

[markschum]

The application is an items-for-sale list that I have done with mysql and php. If a viewer is interested in an item they need to upply contact info (email or phone) and ask any questions. These are mainly used boats. I dont want to just put up an email address or phone and say "call us" because many wont. If I use mailto I can fill in the subject and body of the mail with a basic, "yes I want this but tell me more" but it relies on a viewer having a mail app on his machine and I dont know that.

 

 

I have concerns after reading about mailto: that it is not recommended and that writing to a file may introduce record locking issues for a multi-user system.

 

Email would be a natural choice since the site owner already checks his email regularly and sales are not time critical while writing to a flat file or database can easily be diplayed to the owner via a restricted web page or even consolidated and sent through the sites own email system. .

 

I dont know if this clarifies anything :-)

[Christian F.]

The best thing would be to get a contact form that uses PHP to send the mail, either that or use a CRM-type suite. Latter one might be a bit overkill, if you only want to make it possible for your customers to contact you with simple questions.

 

I've done a quick search online, to see if I could find something halfway usable. While it's unfortunately written in the typical PHP4 OOP model, this "tutorial" seems to be the best of the few I looked at.

Should be safe to use, but you might encounter some issues with it still due to its age. In any case, it's a good place to start, and any developer worth his/her salt should be able to bring it up to speed in a relatively short time.

 

Though, to answer your original question: You do not want to use "mailto:" as not only does it require the user to have an e-mail client configured on the computer he's using at the moment, but it also exposes your e-mail address to spam-bots.

Besides that there is no other way to do this with plain HTML, and you will need to use a server-side scripting language (like PHP) to accomplish what you want. Either it being sending e-mails, making flat-files (not recommended either, for various reasons), or saving everything in a database.

[markschum]

OK thanks

 

I have gone with an html form posting to a php script on the server.

 

I am putting the data into a database table until I sort out email at the server.

 

As a temporary measure I have written a simple display page to show the enquiries.

 

It will do for now.

I do have a mysql issue though, I know its off topic for this forum but where to post ?

 

this is the error :

INSERT INTO enquiries ( id, item, email, phone, comments) VALUES ('2', 'pontoon boat 48' with 125hp twin mercury stern drive', '', '12345', '' )

Warning: mysql_query(): You have an error in your SQL syntax;

 

and this i the code

<?php
   // validation expected data exists
     if(!isset($_POST['f_email']) and (!isset($POST['f_phone']))) {
       echo "We're sorry, but there's errors found with the form you submitted.<br /><br />";
       echo "No email address/Phone number entered<br><br>";
       echo "Please go back and fix these errors.<br><br>";
       die();
   }    
   if (isset($_POST['f_email'])) {
       $email = $_POST['f_email'];  
   } else {
       $email = NULL;
   }
    if (isset($_POST['f_phone'])) {
       $phone = $_POST['f_phone'];  
   } else {
       $phone = NULL;
   }
   if (isset($_POST['f_comments'])) {
       $comments = $_POST['f_comments'];  
   } else {
       $comments = NULL;
   }    
   $id = $_POST['f_id'];
   $item = $_POST['f_item'];

       $link = mysql_connect ("myhost","root","") or die("error:".mysql_error());
       $selected = mysql_select_db("sales",$link);
       if ($selected) {
           $writetable = "INSERT INTO enquiries ( id, item, email, phone, comments)" ;
           $writetable .= " VALUES ('$id', '$item', '$email', '$phone', '$comments' )";    
       }
       echo $writetable;
       $query = mysql_query($writetable) or die(mysql_error());
?>

 

I have the table setup and have checked the fields are correct and will accept NULL values.

 

any ideas ?

[Christian F.]

The problem is that you haven't escaped the output, meaning you're wide open for SQL injections. Which is, incidentally, exactly what's happening in your example.

 

The apostrophe in the item name is terminating the SQL string, causing the MySQL server to treat everything after it as MySQL commands. Naturally enough, it fails since it isn't a valid MySQL syntax. (You really should post the entire error message next time, by the way.)

 

Look up mysql_real_escape_string (), and read up on how to both validate input and escape output.

[markschum]

ok, thanks very much. I used that and its now working. Its obvious I need a good book on mysql and php rather than trying to pick at the manuals

 

I now need to write a bit to allow a user to add records to the product database, but I will read as you suggest before I start.

 

thanks again.

[Christian F.]

You're welcome, glad I could be of help.

[Maq]

I now need to write a bit to allow a user to add records to the product database, but I will read as you suggest before I start.

For a new issue I would start a new topic.