gabbymiles Posted October 11, 2015 Share Posted October 11, 2015 I am attempting to post data to database and send email. code works separately with only email submit or database insert but combining actions are giving me fits. The combined code does send email, however does not insert into MySQL. Also, I am looking at updating code as this is old, however need this running now. Thanks in advance. Here is my code. <?php //error_reporting(E_ALL); //ini_set('display_errors', 1); // Functions to filter user inputs function filterName($field){ // Sanitize user name $field = filter_var(trim($field), FILTER_SANITIZE_STRING); // Validate user name if(filter_var($field, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/^[a-zA-Z\s]+/")))){ return $field; }else{ return FALSE; } } function filterEmail($field){ // Sanitize e-mail address $field = filter_var(trim($field), FILTER_SANITIZE_EMAIL); // Validate e-mail address if(filter_var($field, FILTER_VALIDATE_EMAIL)){ return $field; }else{ return FALSE; } } function filterString($field){ // Sanitize string $field = filter_var(trim($field), FILTER_SANITIZE_STRING); if(!empty($field)){ return $field; }else{ return FALSE; } } // Define variables and initialize with empty values $txtaddressErr = $txtmainErr = $txtsubjectErr = $txttitle2Err = $txtbusinesstitleErr = $txtaddress2Err =""; $txtaddress = $txtmain = $txtsubject = $txttitle2 = $txtbusinesstitle = $txtaddress2 = ""; // Processing form data when form is submitted if(isset($_POST['submit'])){ include ("connect.php"); // Validate user name if(empty($_POST["txtaddress"])){ $txtaddressErr = 'Please enter your Keywords.'; }else{ $txtaddress = filterName($_POST["txtaddress"]); if($txtaddress == FALSE){ $txtaddressErr = 'Please enter a valid Keywords.'; } } // Validate email address if(empty($_POST["txtmain"])){ $txtmainErr = 'Please enter your email address.'; }else{ $txtmain = filterEmail($_POST["txtmain"]); if($txtmain == FALSE){ $txtmainErr = 'Please enter a valid email address.'; } } // Validate need if(empty($_POST["txtsubject"])){ $txtsubjectErr = 'Please enter your need.'; }else{ $txtsubject = filterString($_POST["txtsubject"]); if($txtsubject == FALSE){ $txtsubjectErr = 'Please enter a need.'; } } // Validate message subject if(empty($_POST["txtaddress2"])){ $txtaddress2Err = "Please enter an Industry"; }else{ $txtaddress2 = filterString($_POST["txtaddress2"]); if($txtaddress2 == FALSE){ $txtaddress2Err = 'Please enter an Industry.'; } } // Validate user comment if(empty($_POST["txttitle2"])){ $txttitle2Err = 'Please enter your offer.'; }else{ $txttitle2 = filterString($_POST["txttitle2"]); if($txttitle2 == FALSE){ $txttiele2Err = 'Please enter a valid offer.'; } } // Check input errors before sending email if(empty($txtaddressErr) && empty($txtmainErr) && empty($txttitle2Err)){ // Recipient email address $to = 'myemail@domain.org'; // Create email headers $headers = 'From: '. $txtmain . "\r\n" . 'Reply-To: '. $txtmain . "\r\n" . 'X-Mailer: PHP/' . phpversion(); // Sending email if(mail($to, $txtsubject, $txttitle2, $headers)){ echo '<p class="success">Your message has been sent successfully!</p>'; $stuid = $_POST['txtid']; $address = trim($_POST['txtaddress']); $sub = trim($_POST['txtsubject']); $date = trim($_POST['txtdate']); $main = trim($_POST['txtmain']); $title2 = trim($_POST['txttitle2']); $address2 = trim($_POST['txtaddress2']); $agentid = trim($_POST['txtagentid']); $businesstitle = trim($_POST['txtbusinesstitle']); if(isset($_POST['submit'])){ include ("connect.php"); $i = mysql_query( "INSERT INTO `unaction_partner`.`tbl_student` (`stuid`, `address`, `sub`, `date`, `main`, `title2`, `address2`, `agentid`, `businesstitle`) VALUES ('".$stuid."','".$address."','".$sub."','".$date."','".$main."','".$title2."','".$address2."','".$agentid."','".$businesstitle."')"); } } } } // } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Contact Form</title> <style type="text/css"> .error{ color: red; } .success{ color: green; } </style> </head> <body> <div id=""> <table width="100%" border="0"> <?php $businesstitle= isset($row['businesstitle']) ? $row['businesstitle'] : ''; ?> <form method="post" action=""> <tr> <?php include ("connect.php"); $g = mysql_query("select max(stuid) from tbl_student"); while($id=mysql_fetch_array($g)) ?> <td width="26%"> </td> <td width="74%"><input type="hidden" name="txtid" value="<?php echo $id[0]+1; ?>" readonly="readonly" /></td> </tr> <tr> <td><label for="txtaddress">Keywords:<sup>*</sup></label></td> <td><textarea cols="30px" rows="3" name="txtaddress" placeholder="Tip-Include Industry Name, Topic and City to Improve Search Standing" /></textarea> <span class="error"><?php echo $txtaddressErr; ?></span></td> </tr> <tr> <td><label for="txtsubject2">Need:</label></td> <td><input type="text" name="txtsubject" id="txtzubject"> <span class="error"><?php echo $txtsubjectErr; ?></span></td> </tr> <tr> <td>Offer:<sup>*</sup></td> <td><textarea name="txttitle2" id="Comment" rows="5" cols="30"></textarea> <span class="error"><?php echo $txttitle2Err; ?></span></td> </tr> <tr> <td><label for="txtbusinesstitle2">Your Name:</label></td> <td><input type="text" name="txtbusinesstitle" id="txtbusinesstitle"> <span class="error"><?php echo $txtbusinesstitleErr; ?></span></td> </tr> <tr> <td>Industry:</td> <td><input type="text" name="txtaddress2" placeholder="One Industry Name" /> <span class="error"><?php echo $txtaddress2Err; ?></span></td> </tr> <tr> <td><label for="txtmain">Email:<sup>*</sup></label></td> <td><input type="text" name="txtmain" id="txtmain" value="<?php echo $_SESSION['email']; ?>"> <span class="error"><?php echo $txtmainErr; ?></span></td> </tr> <tr> <td>Register Date</td> <td><input type="text" name="txtdate" value="<?php echo date("d/M/Y"); ?>" readonly="readonly" /></td> </tr> <tr> <td></td> <td><input type="hidden" name="txtagentid" placeholder="Type Name" /> <input type="hidden" name="txtmember" /></td> </tr> <tr> <td><input type="submit" name="submit" value="Send"></td> <td><input type="reset" value="Reset"></td> </tr> </form> </table> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 11, 2015 Share Posted October 11, 2015 You commented out the error reporting and display. Start with un-commenting that and tell us what errors you get. 1 Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted October 11, 2015 Share Posted October 11, 2015 define all these with = ""; $txtaddressErr =$txtmainErr =$txtsubjectErr =$txttitle2Err =$txtbusinesstitleErr =$txtaddress2Err =""; $txtaddress =$txtmain =$txtsubject =$txttitle2 =$txtbusinesstitle =$txtaddress2 = ""; Checking if post was submit twice if(isset($_POST['submit'])){ Only need to include this once include ("connect.php"); mysql_* functions are deprecated and being removed in php7. Use pdo or mysqli You should really use the escape functions for any values inserting into the mysql query. Quote Link to comment Share on other sites More sharing options...
Tommie84 Posted October 11, 2015 Share Posted October 11, 2015 do proper indenting on your code function greet ($user) { if (date('H') < 12) { $output = "Good morning $user" } else { $output = "Hello $user"; } return $output; } function greet ($user) { if (date('H') < 12) { $output = "Good morning $user"} else { $output = "Hello $user";} return $output;} function greet ($user) {if (date('H') < 12) {$output = "Good morning $user"} else {$output = "Hello $user";} return $output;} wich of the 3 samples above does make it easy to detect errors? Quote Link to comment Share on other sites More sharing options...
Barand Posted October 11, 2015 Share Posted October 11, 2015 define all these with = ""; $txtaddressErr = $txtmainErr = $txtsubjectErr = $txttitle2Err = $txtbusinesstitleErr = $txtaddress2Err =""; @QoC, See end of para 7 on http://php.net/manual/en/language.expressions.php Since assignments are parsed in a right to left order, you can also write '$b = $a = 5'. Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted October 11, 2015 Share Posted October 11, 2015 @Barand, I know that, shouldn't the script throw an error because multiple lines and no semicolon to end the statement? I just tried it and doesn't throw a parse error. I tend to be more consistent for better readability, like indentations, curly braces, returns and so on. It goes against what they say. As in C or Perl, PHP requires instructions to be terminated with a semicolon at the end of each statement. The closing tag of a block of PHP code automatically implies a semicolon; you do not need to have a semicolon terminating the last line of a PHP block. The closing tag for the block will include the immediately trailing newline if one is present. I would do it all one line. // Define variables and initialize with empty values$txtaddressErr = $txtmainErr = $txtsubjectErr = $txttitle2Err = $txtbusinesstitleErr = $txtaddress2Err = "";$txtaddress = $txtmain = $txtsubject = $txttitle2 = $txtbusinesstitle = $txtaddress2 = ""; Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted October 11, 2015 Share Posted October 11, 2015 it's all one statement. it doesn't matter how many lines it's on in the file. or just use arrays for the errors and data and avoid all that typing for each different form. Quote Link to comment Share on other sites More sharing options...
gabbymiles Posted October 11, 2015 Author Share Posted October 11, 2015 OK here is what I did. (sill not working bty) 1. Defined Err variables with ""'; 2. Removed duplicate submit and include 3. Used escape string 4. Cleaned up indention to the best of my limited knowledge. Below is the updated code. Again: 1. error functions work (nothing pass if form is not properly filled out) 2. if form is filled out correctly, the email sends however database insert does not work. 3. if I remove error and email functions, database insert work. <?php error_reporting(E_ALL); ini_set('display_errors', 1); // Functions to filter user inputs function filterName($field) { // Sanitize user name $field = filter_var(trim($field), FILTER_SANITIZE_STRING); // Validate user name if(filter_var($field, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/^[a-zA-Z\s]+/")))){ return $field; } else { return FALSE; } } function filterEmail($field) { // Sanitize e-mail address $field = filter_var(trim($field), FILTER_SANITIZE_EMAIL); // Validate e-mail address if(filter_var($field, FILTER_VALIDATE_EMAIL)){ return $field; } else { return FALSE; } } function filterString($field) { // Sanitize string $field = filter_var(trim($field), FILTER_SANITIZE_STRING); if(!empty($field)){ return $field; } else { return FALSE; } } // Define variables and initialize with empty values $txtaddressErr = ""; $txtmainErr = ""; $txtsubjectErr = ""; $txttitle2Err = ""; $txtbusinesstitleErr = ""; $txtaddress2Err =""; $txtaddress = ""; $txtmain = ""; $txtsubject = ""; $txttitle2 = ""; $txtbusinesstitle = ""; $txtaddress2 = ""; // Processing form data when form is submitted if(isset($_POST['submit'])){ include ("connect.php"); // Validate user Keywords if(empty($_POST["txtaddress"])){ $txtaddressErr = 'Please enter your Keywords.'; } else { $txtaddress = filterName($_POST["txtaddress"]); if($txtaddress == FALSE){ $txtaddressErr = 'Please enter a valid Keywords.'; } } // Validate email address if(empty($_POST["txtmain"])){ $txtmainErr = 'Please enter your email address.'; } else { $txtmain = filterEmail($_POST["txtmain"]); if($txtmain == FALSE){ $txtmainErr = 'Please enter a valid email address.'; } } // Validate need if(empty($_POST["txtsubject"])){ $txtsubjectErr = 'Please enter your need.'; } else { $txtsubject = filterString($_POST["txtsubject"]); if($txtsubject == FALSE){ $txtsubjectErr = 'Please enter a need.'; } } // Validate Industry if(empty($_POST["txtaddress2"])){ $txtaddress2Err = "Please enter an Industry"; } else { $txtaddress2 = filterString($_POST["txtaddress2"]); if($txtaddress2 == FALSE){ $txtaddress2Err = 'Please enter an Industry.'; } } // Validate user offer if(empty($_POST["txttitle2"])){ $txttitle2Err = 'Please enter your offer.'; } else { $txttitle2 = filterString($_POST["txttitle2"]); if($txttitle2 == FALSE){ $txttitle2Err = 'Please enter a valid offer.'; } } // Validate user name if(empty($_POST["txtbusinesstitle"])){ $txtbusinesstitleErr = 'Please enter your name.'; } else { $txtbusinesstitle = filterString($_POST["txtbusinesstitle"]); if($txtbusinesstitle == FALSE){ $txtbusinesstitleErr = 'Please enter a valid name.'; } } // Check input errors before sending email if(empty($txtaddressErr) && empty($txtmainErr) && empty($txttitle2Err)){ // Recipient email address $to = 'myemail@domain.org'; // Create email headers $headers = 'From: '. $txtmain . "\r\n" . 'Reply-To: '. $txtmain . "\r\n" . 'X-Mailer: PHP/' . phpversion(); // Sending email if(mail($to, $txtsubject, $txttitle2, $headers)){ echo '<p class="success">Your message has been sent successfully!</p>'; $stuid = mysql_real_escape_string($_POST['txtid']); $address = mysql_real_escape_string($_POST['txtaddress']); $sub = mysql_real_escape_string($_POST['txtsubject']); $date = mysql_real_escape_string($_POST['txtdate']); $main = mysql_real_escape_string($_POST['txtmain']); $title2 = mysql_real_escape_string($_POST['txttitle2']); $address2 = mysql_real_escape_string($_POST['txtaddress2']); $agentid = mysql_real_escape_string($_POST['txtagentid']); $businesstitle = mysql_real_escape_string($_POST['txtbusinesstitle']); $i = mysql_query( "INSERT INTO `unaction_partner`.`tbl_student` (`stuid`, `address`, `sub`, `date`, `main`, `title2`, `address2`, `agentid`, `businesstitle`) VALUES ('".$stuid."','".$address."','".$sub."','".$date."','".$main."','".$title2."','".$address2."','".$agentid."','".$businesstitle."')"); } } } // } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Contact Form</title> <style type="text/css"> .error{ color: red; } .success{ color: green; } </style> </head> <body> <div id=""> <table width="100%" border="0"> <?php $businesstitle= isset($row['businesstitle']) ? $row['businesstitle'] : ''; ?> <form method="post" action=""> <tr> <?php //include ("connect.php"); $g = mysql_query("select max(stuid) from tbl_student"); while($id=mysql_fetch_array($g)) ?> <td width="26%"> </td> <td width="74%"><input type="hidden" name="txtid" value="<?php echo $id[0]+1; ?>" readonly="readonly" /></td> </tr> <tr> <td><label for="txtaddress">Keywords:<sup>*</sup></label></td> <td><textarea cols="30px" rows="3" name="txtaddress" placeholder="Tip-Include Industry Name, Topic and City to Improve Search Standing" /></textarea> <span class="error"><?php echo $txtaddressErr; ?></span></td> </tr> <tr> <td><label for="txtsubject2">Need:</label></td> <td><input type="text" name="txtsubject" id="txtsubject"> <span class="error"><?php echo $txtsubjectErr; ?></span></td> </tr> <tr> <td>Offer:<sup>*</sup></td> <td><textarea name="txttitle2" id="Comment" rows="5" cols="30"></textarea> <span class="error"><?php echo $txttitle2Err; ?></span></td> </tr> <tr> <td><label for="txtbusinesstitle">Your Name:</label></td> <td><input type="text" name="txtbusinesstitle" id="txtbusinesstitle"> <span class="error"><?php echo $txtbusinesstitleErr; ?></span></td> </tr> <tr> <td><label for="txtaddress2">Industry:</label></td> <td><input type="text" name="txtaddress2" id="txtaddress2" placeholder="One Industry Name" /> <span class="error"><?php echo $txtaddress2Err; ?></span></td> </tr> <tr> <td><label for="txtmain">Email:<sup>*</sup></label></td> <td><input type="text" name="txtmain" id="txtmain" value="<?php echo $_SESSION['email']; ?>"> <span class="error"><?php echo $txtmainErr; ?></span></td> </tr> <tr> <td>Register Date</td> <td><input type="text" name="txtdate" value="<?php echo date("d/M/Y"); ?>" readonly="readonly" /></td> </tr> <tr> <td></td> <td><input type="hidden" name="txtagentid" placeholder="Type Name" /> <input type="hidden" name="txtmember" /></td> </tr> <tr> <td><input type="submit" name="submit" value="Send"></td> <td><input type="reset" value="Reset"></td> </tr> </form> </table> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted October 11, 2015 Share Posted October 11, 2015 you need to form the sql query statement in a php variable, then echo or var_dump that variable so that you know what the sql actually is. you also need to check for and handle any query errors. note: you cannot guarantee that getting the highest id from a database table, incrementing it, and inserting it in a new row in the database table will produce unique numbers. you will eventually get a collision where two or more concurrent instances of your script are running and try to insert the same value. Quote Link to comment Share on other sites More sharing options...
gabbymiles Posted October 11, 2015 Author Share Posted October 11, 2015 Thanks mac_gyver, I tried different ways to no avail. No errors. I used the same MySQL query from another working page. (just MySQL insert, not both insert and email). Any more ideas? Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 11, 2015 Share Posted October 11, 2015 @gabbymiles, I have some free time on my hands today. If you can provide a zip of EVERTHING I need to run it, I will look into it. That also includes an sql dump of the db including create table sql and at least a few rows of sample data. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted October 12, 2015 Share Posted October 12, 2015 I tried different ways to no avail you may have tried a bunch of things, but if you didn't echo out the sql query statement so that you (and us) will know what it is (which would also confirm that the code where the query is at is running) and check if the query is producing an error or not, you will never narrow down the problem and find what's causing it. it's also possible that your code is inserting a row, but its not where you are looking for it at. that you are specifying the database name in the insert query means that the insert query could be operating on a different database than the one you think it is from the connection code. i tried your last posted code and it did run to send the email, display the success message, and insert the row in the database table. the needed step would be for you to add code that checks if the query is failing or not and if it is failing, what the mysql error is. Quote Link to comment Share on other sites More sharing options...
gabbymiles Posted October 12, 2015 Author Share Posted October 12, 2015 Thanks Benamamen, If last resort I will, however if I could have someone review the code and point out what I'm missing. I'm happy to do the research and work. I'm just stuck at this point. Quote Link to comment Share on other sites More sharing options...
gabbymiles Posted October 12, 2015 Author Share Posted October 12, 2015 ok Mac_gyver, I called the MySQL output however i'm sure it isn't correct. I coded it the best I could. I'm getting an error. Fatal error: Call to a member function query() on a non-object in /home/unaction/public_html/partnerupby2.com/post.php on line 141 line 41 starts at if ($con->query($... if(isset($_POST['submit'])){ include ("connect.php"); $i = mysql_query( "INSERT INTO `unaction_partner`.`tbl_student` (`stuid`, `address`, `sub`, `date`, `main`, `title2`, `address2`, `agentid`, `businesstitle`) VALUES ('".$stuid."','".$address."','".$sub."','".$date."','".$main."','".$title2."','".$address2."','".$agentid."','".$businesstitle."')"); if ($con->query($i) === TRUE){ echo "Success"; } else { echo('Error: ' . mysql_error()); } Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 12, 2015 Share Posted October 12, 2015 Why are you checking $con->query()? There is no $con variable anywhere in your code. Did you copy-and-paste this error check from somebody else? At best, you'd check $i. That's your query result. If it's false, then there's an error. Quote Link to comment Share on other sites More sharing options...
gabbymiles Posted October 12, 2015 Author Share Posted October 12, 2015 Jacques1, it came from my connection code. <?php error_reporting(E_ALL); ini_set('display_errors', 1); $con = mysql_connect("localhost","mydb","user") or die (mysql_error()); mysql_select_db ("mydb", $con); //echo "Connected"; ?> I'll just use $I and see. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 12, 2015 Share Posted October 12, 2015 $con is not an object. It doesn't have a query() method (or any other method). Quote Link to comment Share on other sites More sharing options...
gabbymiles Posted October 12, 2015 Author Share Posted October 12, 2015 Jacques1, thanks you are right, I just used $I and got duplicate ID error where increment wasn't working. However Mc_gyver saw this coming so I will need to change how I approach that. Thanks Mc_gyver. Now it is updating and emailing. Another Issue: Error handling is working on the front end and stripping "less than" symbol from string in the email, it is passing through to MySQL. Any ideas why error handling isn't stopping this. Again, I do realize updating to newer code would make it easier on myself and I will get to it but again, need a quick fix for the moment. Thanks again. Here is the updated code. (I know its ugly, but im trying) <?php error_reporting(E_ALL); ini_set('display_errors', 1); // Functions to filter user inputs function filterName($field) { // Sanitize user name $field = filter_var(trim($field), FILTER_SANITIZE_STRING); // Validate user name if(filter_var($field, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/^[a-zA-Z\s]+/")))){ return $field; } else { return FALSE; } } function filterEmail($field) { // Sanitize e-mail address $field = filter_var(trim($field), FILTER_SANITIZE_EMAIL); // Validate e-mail address if(filter_var($field, FILTER_VALIDATE_EMAIL)){ return $field; } else { return FALSE; } } function filterString($field) { // Sanitize string $field = filter_var(trim($field), FILTER_SANITIZE_STRING); if(!empty($field)){ return $field; } else { return FALSE; } } // Define variables and initialize with empty values $txtaddressErr = ""; $txtmainErr = ""; $txtsubjectErr = ""; $txttitle2Err = ""; $txtbusinesstitleErr = ""; $txtaddress2Err =""; $txtaddress = ""; $txtmain = ""; $txtsubject = ""; $txttitle2 = ""; $txtbusinesstitle = ""; $txtaddress2 = ""; if($_SERVER["REQUEST_METHOD"] == "POST"){ // Processing form data when form is submitted include ("connect.php"); if(isset($_POST['submit'])){ // Validate user Keywords if(empty($_POST["txtaddress"])){ $txtaddressErr = 'Please enter your Keywords.'; } else { $txtaddress = filterName($_POST["txtaddress"]); if($txtaddress == FALSE){ $txtaddressErr = 'Please enter a valid Keywords.'; } } // Validate email address if(empty($_POST["txtmain"])){ $txtmainErr = 'Please enter your email address.'; } else { $txtmain = filterEmail($_POST["txtmain"]); if($txtmain == FALSE){ $txtmainErr = 'Please enter a valid email address.'; } } // Validate need if(empty($_POST["txtsubject"])){ $txtsubjectErr = 'Please enter your need.'; } else { $txtsubject = filterName($_POST["txtsubject"]); if($txtsubject == FALSE){ $txtsubjectErr = 'Please enter a need.'; } } // Validate Industry if(empty($_POST["txtaddress2"])){ $txtaddress2Err = "Please enter an Industry"; } else { $txtaddress2 = filterName($_POST["txtaddress2"]); if($txtaddress2 == FALSE){ $txtaddress2Err = 'Please enter an Industry.'; } } // Validate user offer if(empty($_POST["txttitle2"])){ $txttitle2Err = 'Please enter your offer.'; } else { $txttitle2 = filterName($_POST["txttitle2"]); if($txttitle2 == FALSE){ $txttitle2Err = 'Please enter a valid offer.'; } } // Validate user name if(empty($_POST["txtbusinesstitle"])){ $txtbusinesstitleErr = 'Please enter your name.'; } else { $txtbusinesstitle = filterName($_POST["txtbusinesstitle"]); if($txtbusinesstitle == FALSE){ $txtbusinesstitleErr = 'Please enter a valid name.'; } } $stuid = mysql_real_escape_string($_POST['txtid']); $address=preg_replace("/[^\`a-z,. \'\-\d]/i", "", $txtaddress); $address = mysql_real_escape_string($_POST['txtaddress']); $sub = mysql_real_escape_string($_POST['txtsubject']); $date = mysql_real_escape_string($_POST['txtdate']); $main = mysql_real_escape_string($_POST['txtmain']); $title2 = mysql_real_escape_string($_POST['txttitle2']); $address2 = mysql_real_escape_string($_POST['txtaddress2']); $agentid = mysql_real_escape_string($_POST['txtagentid']); $businesstitle = mysql_real_escape_string($_POST['txtbusinesstitle']); if(isset($_POST['submit'])){ include ("connect.php"); if(empty($txtaddressErr) && empty($txtmainErr) && empty($txttitle2Err) && empty($txsubject2Err) && empty($txtaddress2Err) && empty($txtbusinesstitleErr)){ $i = mysql_query( "INSERT INTO `unaction_partner`.`tbl_student` (`stuid`, `address`, `sub`, `date`, `main`, `title2`, `address2`, `agentid`, `businesstitle`) VALUES ('".$stuid."','".$address."','".$sub."','".$date."','".$main."','".$title2."','".$address2."','".$agentid."','".$businesstitle."')"); if ($i === TRUE){ echo "Success"; } else { echo('Error: ' . mysql_error()); } } // Check input errors before sending email if(empty($txtaddressErr) && empty($txtmainErr) && empty($txttitle2Err) && empty($txsubject2Err) && empty($txtaddress2Err) && empty($txtbusinesstitleErr)){ // Recipient email address $to = 'myemail@domain.org'; // Create email headers $headers = 'From: '. $txtmain . "\r\n" . 'Reply-To: '. $txtmain . "\r\n" . 'X-Mailer: PHP/' . phpversion(); // Sending email if(mail($to, $txtsubject, $txttitle2, $headers)){ echo '<p class="success">Your message has been sent successfully!</p>'; } }} } } // } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Contact Form</title> <style type="text/css"> .error{ color: red; } .success{ color: green; } </style> </head> <body> <div id=""> <table width="100%" border="0"> <?php $businesstitle= isset($row['businesstitle']) ? $row['businesstitle'] : ''; ?> <form method="post" action=""> <tr> <?php include ("connect.php"); $g = mysql_query("select max(stuid) from tbl_student"); while($id=mysql_fetch_array($g)) { ?> <td width="26%"> </td> <td width="74%"><input type="hidden" name="txtid" value="<?php echo $id[0]+1; ?>" readonly="readonly" /></td> </tr> <? } ?> <tr> <td><label for="txtaddress">Keywords:<sup>*</sup></label></td> <td><textarea cols="30px" rows="3" name="txtaddress" placeholder="Tip-Include Industry Name, Topic and City to Improve Search Standing" /><?php echo $txtaddress; ?> </textarea> <span class="error"><?php echo $txtaddressErr; ?></span></td> </tr> <tr> <td><label for="txtsubject2">Need:</label></td> <td><input name="txtsubject" type="text" id="txtsubject" value="<?php echo $txtsubject; ?>"> <span class="error"><?php echo $txtsubjectErr; ?></span></td> </tr> <tr> <td>Offer:<sup>*</sup></td> <td><textarea name="txttitle2" id="Comment" rows="5" cols="30"><?php echo $txttitle2; ?></textarea> <span class="error"><?php echo $txttitle2Err; ?></span></td> </tr> <tr> <td><label for="txtbusinesstitle">Your Name:</label></td> <td><input name="txtbusinesstitle" type="text" id="txtbusinesstitle" value="<?php echo $txtbusinesstitle; ?>"> <span class="error"><?php echo $txtbusinesstitleErr; ?></span></td> </tr> <tr> <td><label for="txtaddress2">Industry:</label></td> <td><input name="txtaddress2" type="text" id="txtaddress2" value="<?php echo $txtaddress2; ?>" placeholder="One Industry Name" /> <span class="error"><?php echo $txtaddress2Err; ?></span></td> </tr> <tr> <td><label for="txtmain">Email:<sup>*</sup></label></td> <td><input type="text" name="txtmain" id="txtmain" value="<?php echo $_SESSION['email']; ?>"> <span class="error"><?php echo $txtmainErr; ?></span></td> </tr> <tr> <td>Register Date</td> <td><input type="text" name="txtdate" value="<?php echo date("d/M/Y"); ?>" readonly="readonly" /></td> </tr> <tr> <td></td> <td><input type="hidden" name="txtagentid" placeholder="Type Name" /> <input type="hidden" name="txtmember" /></td> </tr> <tr> <td><input type="submit" name="submit" value="Send"></td> <td><input type="reset" value="Reset"></td> </tr> </form> </table> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 12, 2015 Share Posted October 12, 2015 (edited) You're inserting the original data instead of the filtered data. But like you already said yourself: This code desparately needs an update. Blocking less-than signs as a “security measure” may have been acceptable in the 90s, but nowadays people are used to professional software which doesn't choke on a simple input character. Edited October 12, 2015 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.