Some more help needed

[Klauwaart]

Hello again,

I have a signup script for my newsletter, and at the moment it works reasonably well, but....

The main connection to an external script is an encrypted link, which send the data to RapidSMTP, a program to deal with mailing lists.

However, I want to dump it as there are too many restrictions and I have another program, which just reads the data from my MySQL database and lets me do anything I want with my newsletter.

 

Here is the code I use at the moment:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<!--  Created with the CoffeeCup HTML Editor 2007  -->
<!--           http://www.coffeecup.com/           -->
<!--         Brewed on 17/07/2007 17:15:26         -->
<head>
  <title>Vlaanderen-Flanders</title>
  <meta name="generator" content="CoffeeCup HTML Editor 2007 -  www.coffeecup.com">
  <meta name="description" content="A site for Flemings abroad and at home and foreigners who want to get to know the real Flanders. Een webstek voor Vlamingen uit en thuis en vreemdelingen die het echte Vlaanderen willen leren kennen.">
  <meta name="keywords" content="Vlaanderen,Flanders,Vlaming,Fleming,Vlaams,Flemish">
  <style type="text/css">
  <!--
    /* Add Hover with color to links */
    a:hover {text-decoration: none; color:#FF0000;}
    /* Custom Scrollbar Colors */
    body{
      scrollbar-arrow-color: #000000;
      scrollbar-3dlight-color: #FFFF00;
      scrollbar-highlight-color: #000000;
      scrollbar-face-color: #FFFF00;
      scrollbar-shadow-color: #000000;
      scrollbar-darkshadow-color: #FFFF00;
      scrollbar-track-color: #FFFF00;
    }
  -->
  </style>
</head>
<body bgcolor="#FFFFFF" text="#000000" link="#0000ff" vlink="#33cccc" alink="#ff0000">
<div align="center"><img src="Pics/newsletter.jpg" width="500" height="100" alt="" border="0" align=""></div><br>

Here you can subscribe to our newsletter. From now on, I thought it would be more useful to be able to follow the news through your mailbox. It will also save space on the news page and save some bandwidth.<br>
Subscribe now.<br>
Thank you,<br>
The webmaster.<br>
<div align="center"><FORM METHOD="POST" ACTION="http://redirect.rapidsmtp.com/gqigjqgwahgxbvdscwfdiwacfrcjcqhvepgidrgdjoeqgretgwgjjnbjhabaggamdgbxdzjvjrdoicjuhohpbsjtcahgdaanjpjbdhjddpgujqhxcqikcsgyhjidipiyerjlfnbzjhafapeaadesevfohvdqhajldrfggsbjddgpbgdliagrfcbtbrfealewdrdbeuabcvederajhtbeixiujudsdyhaaaghhqhofiibbldtepgidrgdjoeqgretgwgjjnbjhabaggamadejjvanduewhufbfmevihgfbzendhdebwczfhbbjgazijecjnjjcdeffojuafhijggvibdicubtbubwdpdbgceyiqafdpenedchivebgqetebhheijgjvdlddhodubyfgfzdybjapipbgedcfhjiecjhrfzazejjrezgwfgauepeiiq">
<table border="0" cellpadding="0" cellspacing="4" bgcolor="#FFFF00">
<tr>
<td>First name:</td>
<td><INPUT NAME="Voornaam" type="text" size="30" maxlength="30"></td>
</tr>
<tr>
<td>Name:</td>
<td><INPUT NAME="Naam" type="text" size="30" maxlength="30"></td>
</tr>
<tr>
<td>Town:</td>
<td><INPUT NAME="Stad" type="text" size="30" maxlength="30"></td>
</tr>
<tr>
<td>Country:</td>
<td><INPUT NAME="Land" type="text" size="30" maxlength="30"></td>
</tr>
<tr>
<td>Email:</td>
<td><INPUT NAME="Epost" type="text" size="30" maxlength="60"></td>
</tr>
</table>
<P><INPUT TYPE=SUBMIT> <INPUT TYPE=RESET>
</FORM>
</div><br>
<a href="index.htm"><div align="center"><img src="Pics/home.gif" width="95" height="30" alt="" border="0" align=""></div></a>
<script src="http://redirect.rapidsmtp.com/axekgrcvddjsisgdcwfdiwacfrcjcqhvepgidrgdjoeqgretgwgjjnbjhabaggamcvjtdqgfbfeibebfijikfabjjrcneheyfzgzbzegjeihdrcw" type="text/javascript">
</script>
<script type="text/javascript">
WebsiteTracking();
</script>
</body>
</html>

I was wondering if it would be terribly difficult to make a script which I could send the <form action> to which would simply write the entered data into the database.

If possible (but if it is too difficult, no problem, a script that also sends a confirmation mail to the subscriber, and, still, if not too difficult to do, asks for confirmation, and only writes the data into the database after the subscriber has clicked the confirmation link.

 

But, if all this is too long winded and/or complicated, I would already be happy with a script that just puts the entered data into my database.

Thanks in advance,

Klauwaart.

 

PS. Can anyone recommend a good resource for learning all this?

At the moment I have PHP & MySQL for Dummies, 2nd edition, by Janet Valade.

But if that is for dummies, then I must be the dummy of the millennium, as it looks more like "for dummies with a PhD" to me.

I have also began to learn on a number of web sites, such as "Webmonkey" and W3schools and even started a course on the IBM website, but it is all terribly complex.

They all start off with the well known echo 'Hello World' example, and 3 lines later you have to read through a whole bunch of variables inside nested loops etc.

So, are there any simple resources out there?

(In another post I'll show an example of a (non working) script, typed in word for word from a tutorial, just to prove that online tutorials and tutorials from books are not always reliable).

 

[Wes1890]

^ First off let me say that I have that same book.. I got it about 4-5 years ago though.. it's been a good friend of mine

 

 

Secondly, look here:

http://www.google.com/search?source=ig&hl=en&rlz=&q=how+to+submit+form+data+into+database+php&btnG=Google+Search

 

Thirdly:

Simple explanation of submittin form data to database.

 

1. Setup the form on an html page

<form action="the_php_page" method="post">
<input type="text" name="CRAZYNAME">
<input type="submit">
</form>

 

2. On the php page which the form is pointing to (the_php_page) insert something like this:

$crazy = $_POST['CRAZYNAME'];
mysql_query("INSERT INTO your_table VALUES ($crazy)") or die(mysql_error());

 

 

See how the data in the text field CRAZYNAME went to the php page as $_POST['CRAZYNAME']?

 

Make as many text fields as you want.. but be sure to validate them... search google for that too

[Mirkules]

Be careful, don't forget to sanitize your variables if this is a production site..........

 

$crazy = trim(addslashes(strip_tags($_POST['CRAZYNAME'])));

 

You don't want this to happen: http://xkcd.com/327/

[Klauwaart]

OK, thanks for this.

I have now a HTML form which works perfectly with this PHP script:

 

<HTML>
<HEAD>
<TITLE>New Document</TITLE>
</HEAD>
<BODY>
<?php
$con = mysql_connect("localhost","mrdee_mrdee","**********");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
  $Voornaam=$_POST['Voornaam'];
$Naam=$_POST['Naam'];
$Stad=$_POST['Stad'];
$Land=$_POST['Land'];
$Epost = $_POST['Epost'];
mysql_select_db("mrdee_reloader", $con);
mysql_query("INSERT INTO newsletter VALUES ('','$Voornaam','$Naam','$Stad','$Land','$Epost')") or die(mysql_error());
mysql_close($con);
?>
<p align="center"><b>Thank you, you are now in the database.</b></p><br>
<p align="center"><a href="index.htm"><img src="Pics/begin.gif" width="95" height="30" border="0"></a></p>
</BODY>
</HTML>

 

The only question that remains now is: where exactly do I enter this validation code '$crazy = trim(addslashes(strip_tags($_POST['CRAZYNAME'])));' in my case?

 

Hopefully I can leave you alone then.

Thanks for all the help so far.

 

[Wes1890]

Like this:

 

<HTML>
<HEAD>
  <TITLE>New Document</TITLE>
</HEAD>

<BODY>

<?php
$con = mysql_connect("localhost","mrdee_mrdee","**********");
if (!$con)
{
  die('Could not connect: ' . mysql_error());
}

$Voornaam = trim(addslashes(strip_tags($_POST['Voornaam'])));
$Naam     = trim(addslashes(strip_tags($_POST['Naam'])));
$Stad     = trim(addslashes(strip_tags($_POST['Stad'])));
$Land     = trim(addslashes(strip_tags($_POST['Land'])));
$Epost    = trim(addslashes(strip_tags($_POST['Epost'])));

mysql_select_db("mrdee_reloader", $con);
mysql_query("INSERT INTO newsletter VALUES ('','$Voornaam','$Naam','$Stad','$Land','$Epost')") or die(mysql_error());
mysql_close($con);

?>

<p align="center"><b>Thank you, you are now in the database.</b></p><br>
<p align="center"><a href="index.htm"><img src="Pics/begin.gif" width="95" height="30" border="0"></a></p>

</BODY>
</HTML>

[Klauwaart]

Thanks, great stuff.

I am learning more and more by the minute here.

One more thing I forgot:

 

Does it take a long chunk of coding to stop someone from entering an emailaddress which is already in the database?

Some code which tells the user 'That emailaddress is already in the database', and sends him back to the form and only executes the 'Thank you' bit after a unique emailaddress has been entered.

 

Sorry if I am a bit of a pain, but, as I said before, I am a complete and utter beginner.

 

Also, in the validating bit, what exactly does that code do?

Which slashes does trim(addslashes(strip_tags add and which tags does it strip?

 

Thanks again.

 

[Mirkules]

To check if the email address is already entered, you would need to query the database first, like this:

 

$email = trim(addslashes(strip_tags($_POST['email'])));

$query = "select email from your_table where email='$email'";

//connect to database here
...
$result = mysql_query($query);
if (mysql_num_rows($result) > 0 )
{
    //email already exists
}
else
{
    //email does not exist
}

 

//close database here

...

 

As far as you question what the addslashes, strip_tags and trim do, the simple answer is:

 

addslashes adds slashes inside the string so that mysql doesn't get confused if you enter a ' character.  For example, if you didn't do that, and you entered something like mirkule'es@mirkules.com, your SQL query above would look like this:

 

SELECT email FROM your_table where email='mirkule'es@mirkules.com'

 

This is bad because someone can write this in the email form: mirkule';DROP TABLE your_table;

 

What happens in this case is that the first SQL query executes and tries to match mirkule to an email address before it find the '; characters designating the end of the query. BUT, SQL will keep executing that whole string, dropping your entire table!

 

This is called an SQL injection attack, because you inject SQL statements into your fields, and ultimately into some poor guy's database.  So, addslashes is a security measure against this: if you entered the above string, it would actually look like this, causing MySQL to ignore the ' (the \ is an escape character for mysql)

 

mirkule\';DROP TABLE your_table;

 

One more thing to note is that a lot of servers come with addslashes turned on by default (called magic quotes), so you don't have to bother with calling addslashes.

 

Strip_tags strips all HTML tags from the user input (this is also bad because they can inject Javascript functions into your database, bad bad bad).

 

Finally, trim trims excess spaces around your input " mirkules@mirkules.com " becomes "mirkules@mirkules.com"

 

 

If you re curious (and seems like you are) you should google "PHP security" or "SQL injection" for more info.

[Klauwaart]

Thanks,

tried that, but it does not seem to work.

I entered a non-existing address and it still took me to the thank you bit.

Here is how I added the lines:

<HTML>
<HEAD>
<TITLE>Vlaanderen-Flanders</TITLE>
</HEAD>
<BODY>
<?php
$con = mysql_connect("localhost","mrdee_mrdee","**********");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
$Epost = $_POST['Epost'];
$query = "select Epost from newsletter where Epost='$Epost'";
mysql_select_db("mrdee_reloader", $con);
$result = mysql_query($query);
if (mysql_num_rows($result) > 0 )
{
echo 'Email does not exist.';
}
else{
mysql_query("DELETE FROM newsletter WHERE Epost='$Epost'") or die(mysql_error());
     }
mysql_close($con);
?>
<div align="center"><img src="Pics/Vlaamse Leeuw.jpg" width="114" height="127" alt="" border="0" align=""></div>
<p align="center"><b>Thank you, you have now been taken off the list.</b></p><br>
<p align="center"><a href="index.htm"><img src="Pics/begin.gif" width="95" height="30" border="0"></a></p>
</BODY>
</HTML>

 

I have most probably slotted something into the wrong place.

BTW I would also want it to happen that, when you do enter a non-existent email address, that after the message "email does not exist" the site send you back to the input screen so you can retry.

 

Thanks in advance.

 

[Wes1890]

^ try this.. I changed the SQL query and added single quotes

 

Note.. i cleaned up the code for you

 

<HTML>
<HEAD>
<TITLE>Vlaanderen-Flanders</TITLE>
</HEAD>
<BODY>

<?php
// Always try to connect and select the DB before anything else
$con = mysql_connect("localhost","mrdee_mrdee","**********") or die("Couldnt Connect to DB - ".mysql_error());
mysql_select_db("mrdee_reloader", $con) or die("Couldnt Select a DB - ".mysql_error());

// Set post var
$Epost = trim(addslashes(strip_tags($_POST['Epost'])));

// Look for it in DB
$query = "SELECT Epost FROM newsletter WHERE Epost='".$Epost."'";
$result = mysql_query($query);

// If more than 0 rows are found, then we've found a match.. so check it
if (mysql_num_rows($result) > 0 )
{
    echo 'Email does not exist.';
}
else
{
    mysql_query("DELETE FROM newsletter WHERE Epost='$Epost'") or die(mysql_error());
}

mysql_close($con);

?>
<div align="center"><img src="Pics/Vlaamse Leeuw.jpg" width="114" height="127" alt="" border="0" align=""></div>
<p align="center"><b>Thank you, you have now been taken off the list.</b></p><br>
<p align="center"><a href="index.htm"><img src="Pics/begin.gif" width="95" height="30" border="0"></a></p>
</BODY>
</HTML>

[Klauwaart]

Thank you,

I entered that code, then tested by entering an email address that is not on the list, but it still sent me straight to the "Thank you, you are unsubscribed' bit, and I did not see 'Email does not exist.' appear.

 

What else am I doing wrong please?

 

Thanks,

Klauwaart.

 

[Klauwaart]

It also goes wron the other way,

when I enter an existing email address, it shows"Email does not exist" and shows the "Thank you" message.

However, the email address is not removed.

Thanks in advance for further advice.