mrjap1 Posted May 17, 2011 Share Posted May 17, 2011 Hello, There is something I may have over looked in my php that is causing these problems... I am almost there. Currently, my html form once processed by my "process_myform.php" placed the users info into the database, sends me an e-mail, and displayed my thank you page. This is what its doing and I am indeed happy about this part. HOWEVER, my "process_myform.php" that I created, has a BIG PROBLEM. Once processed, it is CURRENTLY giving me multiple blank replies to both my e-mail box and database in addition to that placing the correct 1 user info that I filled out with my html form. Also I would like to have the date and time do be displayed within the database for the my "$registration_date" variable.... how do i accomplish this? Right now in the database it just shows a bunch of zeros. Could someone look at my code and tell me what I am doing wrong? Here is my html & php form processing code below. I KNOW is did or did not do something wrong to throw this all off... not sure what it is. Thank you for your help. mrjap1 ======================= MY HTML FORM CODE ============================== <!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Untitled Document</title> </head> <body> <form action="process_myform.php" method="post"> <p> <!-- FIRST NAME --> <label>First Name:</label> <input name="first_name" type="text" size="15" maxlength="50" tabindex="10" id="first_name"> <!-- LAST NAME --> <label>Last Name:</label> <input name="last_name" type="text" size="15" maxlength="50" tabindex="20" id="last_name"> </p> <!-- ADDRESS--> <label>Address:</label> <input name="address" type="text" size="15" maxlength="50" tabindex="30" id="address"> </p> <p> <!-- EMAIL --> <label>E-mail:</label> <input name="email" type="text" size="15" maxlength="50" tabindex="40"> <!-- ZIP CODE --> <label>Zip Code:</label> <input name="zip_code" type="text" size="15" maxlength="50" tabindex="50"> </p> <br /> <input name="submit" type="image" value="SUBMIT FORM" src="submit_btn.png" alt="submit button" align="middle"> </form> </body> </html> =================== MY PHP FORM PROCESSING CODE ======================= <?php // 1. Create a database connection $con = mysql_connect("localhost","forms","itismyway"); if (!$con) { die('Database connection failed could not connect: ' . mysql_error()); } // 2. Select a database to use $db_select = mysql_select_db("mydatainsert",$con); if (!$db_select) { die('Database selection failed could not connect: ' . mysql_error()); } mysql_select_db("mydatainsert", $con); $sql="INSERT INTO `mydatainsert`.`gangland` ( `id` , `first_name` , `last_name` , `address` , `zip` , `email` , `registration_date` ) VALUES ('NULL','$_POST[first_name]','$_POST[last_name]','$_POST[address]', '$_POST[zip_code]','$_POST[email]','$_POST[registration_date]', "; // I WOULD LIKE THE DATE AND TIME TO BE IN THE DATABASE FOR THE "REGISTRATION_DATE". if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } //echo "1 record added"; // some code // 3. Close Connection mysql_close($con); ?> <?php // ALL THE SUBJECT and EMAIL VARIABLES $emailSubject = 'MY TEST EMAIL SCRIPTING!!! '; $webMaster = 'myemail@gmail.com'; // GATHERING the FORM DATA VARIABLES $first_name = $_POST['first_name']; $last_name = $_POST['last_name']; $address = $_POST['address']; $email = $_POST['email']; $zip_code = $_POST['zip_code']; $date = date ("l, F jS, Y"); $time = date ("h:i A"); $body = <<<EOD <br /><hr><br /> <strong>First Name:</strong> $first_name <br /> <strong>Last Name: </strong>$last_name <br /> <strong>Email:</strong> $email <br /> <strong>Zip Code:</strong> $zip_code <br /> <strong>Registration Date:</strong> $date at $time <br /> EOD; // THIS SHOW ALL E-MAILED DATA, ONCE IN THE E-MAILBOX AS READABLE HTML $headers = "From: $email\r\n"; $headers .= "Content-type: text/html\r\n"; $success = mail($webMaster, $emailSubject, $body, $headers); // THE RESULTS OF THE FORM RENDERED AS PURE HTML $theResults = <<<EOD <!DOCTYPE HTML> <html lang="en"> <head> <style type="text/css"> body { font-family:Arial, Helvetica, sans-serif; font-size:11px; font-weight:bold; } #thankyou_block { width: 400px; height: 250px; text-align:center; border: 1px solid #666; padding: 5px; background-color: #0CF; border-radius:8px; -webkit-border-radius:8px; -moz-border-radius:8px; -opera-border-radius:8px; -khtml-border-radius:8px; box-shadow:0px 0px 10px #000; -webkit-box-shadow: 0px 0px 10px #000; -moz-box-shadow: 0px 0px 10px #000; -o-box-shadow: 0px 0px 10px #000; margin: 25px auto; } p { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 18px; letter-spacing:1px; color: #333; } </style> <meta charset="UTF-8"> <title>THANK YOU!!!</title> </head> <body> <div id="thankyou_block"> <br><br><br> <h1>CONGRATULATIONS!!</h1> <h2>YOUR FORM HAS BEEN PROCESSED!!!</h2> <p>You are now registered in our Database...<br> we will get back to you very shortly.<br> Please have a very wondeful day.</p> </div> </body> </html> EOD; echo "$theResults"; ?> Quote Link to comment Share on other sites More sharing options...
fugix Posted May 17, 2011 Share Posted May 17, 2011 is your date field in you database using the DATE format? if so, the format that you will need to use is YYYY-MM-DD Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted May 17, 2011 Share Posted May 17, 2011 You aren't even checking to see if the form has been submitted before allowing the INSERT query to run, so you're going to get a blank email and database record every time the page is accessed. You aren't validating the form data and rejecting the form submission if the farm doesn't validate. You aren't escaping the incoming form data, and therefore you are wide open to SQL injection attack. You aren't doing anything to prevent header injection, thus leaving your mail form open to abuse by spammers. Quote Link to comment Share on other sites More sharing options...
mrjap1 Posted May 17, 2011 Author Share Posted May 17, 2011 Hello, WOW!! Thank you all for your quick response... I am very,very new to PHP. So all of this way over my head. All of the security issues with respect to my form that you mentioned I was totally unaware of. Thank you... with that said, I am pretty stuck. That is why I asked in general, I am no guru. Now as it stands right now I have NO idea how to do ANY of the following: (1) Checking to see if the form has been submitted before allowing the INSERT query to run. (2) Validating the form data and rejecting the form submission if the form doesn't validate. (3) Escaping the incoming form data, and therefore I am wide open to SQL injection attack. (4) How to prevent header injection, thus leaving my mail form open to abuse by spammers. Based on my existing code, could please you show me example(s) of how to do all theses things? I have never done this before. I want to know if I am using the " NOW() " in my MySQL code properly to insert the current date and time. Thank you very kindly for your help. mysql_select_db("mydatainsert", $con); $sql="INSERT INTO `mydatainsert`.`gangland` ( `id` , `first_name` , `last_name` , `address` , `zip` , `email` , `registration_date` ) VALUES ('NULL','$_POST[first_name]','$_POST[last_name]','$_POST[address]', '$_POST[zip_code]','$_POST[email]','$_POST[registration_date]', NOW())"; // I WOULD LIKE THE DATE AND TIME TO BE IN THE DATABASE FOR THE "REGISTRATION_DATE". if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } //echo "1 record added"; // some code // 3. Close Connection mysql_close($con); ?> thx mrjap1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.