Forum Moderators: coopster
I would now like to add a few more elements to the script, but I don't know how to do it. Perhaps someone here would be nice enough to take a few minutes to help?
1. I would like to have some degree of form validation, particularly for the "email" field. I don't really care much about validation for the other fields (I think some basic validation is already included in my script below, such as making sure no fields are left blank), as long as any potentially damaging data is not able to be sent to the database. I have seen some recommendations for email validation, but whenever I try to incorporate them into my script, my form stops working and I get some type of an error. If someone could copy my script below (which has only been slightly modified to conceal personal information) and then insert any recommended validations directly into my script, so I can see exactly where you put it and how it is formatted, I would really appreciate it.
2. If possible, I would like to collect the IP address of the person submitting the form, and possibly the type of browser they are using as well. If this is possible, I would like this information to be entered into the MySQL database in columns labeled "ip" and "browser" respectively. If it is possible to accomplish either, or both, of those things, it would be great if you could also add that to my script below so I can see how it is done.
Here is the content of my, slightly modified, .php file below. If you recommend any other changes to my file please let me know since, like I said, I am clueless when it comes to this. Thanks!
<?php$name = $_REQUEST['name'] ;
$email = $_REQUEST['email'] ;
$comments = $_REQUEST['comments'] ;$con = mysql_connect("localhost","MyUserName","MyPassword");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}if (!isset($_REQUEST['email'])) {
header( "Location: http://www.example.com/feedback.html" );
}
elseif (empty($email) ¦¦ empty($name) ¦¦ empty($comments)) {
header( "Location: http://www.example.com/error.html" );
}else {
mysql_select_db("MyDatabase", $con);
$name=mysql_real_escape_string($_POST['name']);
$email=mysql_real_escape_string($_POST['email']);
$comments=mysql_real_escape_string($_POST['comments']);
$sql="INSERT INTO MyTable (name,email,comments) VALUES ('$name','$email','$comments')";
}if (!mysql_query($sql,$con)) {
die('Error: ' . mysql_error());
}mail( "MyEmail@example.com",
"Feedback Form Results",
"Comments: $comments",
"From: $name <$email>" );header( "Location: http://www.example.com/thankyou.html" );
?>
[edited by: eelixduppy at 1:24 am (utc) on July 25, 2007]
[edit reason] changed to example.com [/edit]
This one is basic, there is more checking that can be done. I would write a function like "function validateEmail($email) " to check it first (I'm not going to write it for you, but a little google searching for "email checking php" will help).
2. The users's IP address is stored in the environment variable $REMOTE_ADDR......read up on php.net how to access environment variables :-)
3. Getting the browser type is a little tricky....I'll just say to google search "php get browser type" and take a look at some of the code, but before you do that I'd recommend looking into "regular expression" since determining browser type often involves parsing and lots of regular expressions.
What you are trying to do is not impossible and we all have come across it one time or another. I'd hate to just give you the solution and gain 0 knowledge :P But, don't be afraid to ask the "dumb" question.....everyone starts somewhere...
--Nick
also see:
[webmasterworld.com...]
browser info and ip can be spoofed but:
To get user ip:
$_SERVER[['REMOTE_ADDR']
To get browser info:
$_SERVER['HTTP_USER_AGENT']
or you can use get_browser() [php.net]
Basic email validation [webmasterworld.com] was just asked about further down the page.
get_browser [us2.php.net] or HTTP_USER_AGENT [us2.php.net] will get you what you need for the user agent info.
check this thread on web form hijacking [webmasterworld.com] for a bunch of good info on ideas to secure your form - although your use of mysql_real_escape string should basically cover you from sql inject.
If you're posting to this script from a form (method="post") you generally don't want to call variables using $_REQUEST - instead, use the more specific call to the $_POST array.
$name = $_POST['name'];
$email = $_POST['email'];
$comments = $_POST['comments'];
etc...
mysql_query [us3.php.net] and mysql_connect [us2.php.net] don't really need a conditional to check success. You could save space by....
mysql_connect("localhost","MyUserName","MyPassword") or die('Could not connect to server.' );
I'm sure by tomorrow you'll be writing sophisticated programs ;)
Just to clarify, I have already done a lot of research over the past day as I tried to learn some basic PHP, in order to get the script to do all the things I wanted it to do.
I have read many tutorials on how to do email validation, including the post on this message board that justgowithit referenced, before posting on this board. I have read information on how to display a visitors IP address and what browser they are using also. Prior to posting on this board, I even created a page that is able to display both of these things. The problem is I don't know how to get this information transferred to my MySQL database each time a visitor submits a form. I can't find out how to do that specific thing, so I was hoping one of you could simply show me by putting the necessary code into my script. Then I could learn by seeing exactly WHERE and HOW it is implemented.
Similarly, giving me general information about email validation isn't going to help me much since I know about the general information and have tried to implement it, without success. I get a database error whenever I enter email validation into my script. That is why I would like for someone to show me exactly WHERE and HOW it done by putting it into my script. Then I can learn from it and see if it works. If it still doesn't work, then maybe I have other problems I need to deal with.
Please, don't worry about making things too easy for me or thinking that I won't learn anything by you doing this. lol
[edited by: ilPadrino at 5:16 am (utc) on July 25, 2007]
Regarding your other suggestion, I don't know exactly what you mean.
Are you saying I need to replace this in my script...
$con = mysql_connect("localhost","MyUserName","MyPassword");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
with this....
mysql_connect("localhost","MyUserName","MyPassword") or die('Could not connect to server.' );
I did that and got an error each time I tried to submit the form.
Please post the error message, it is probably nothing to do with the mysql_connect
$con = mysql_connect("localhost","MyUserName","MyPassword");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
with what you suggested...
$dbconnect=mysql_connect("localhost","MyUserName","MyPassword") or die('Could not connect to server.' );
I get the following error message whenever I try to submit my form....
Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/myname/public_html/example/file.php on line 22Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /home/myname/public_html/example/file.php on line 33
Error:
The form works fine if I don't make the suggested change, but if for some reason the suggested change is the proper way to do it, I would like to do it properly. I just want it to work as well. :-)
mysql_select_db("MyDatabase", $con);
Here is line 33...
if (!mysql_query($sql,$con)) {
I am guessing it is the $con part that is causing the problem when I make your suggested changes?
Is it even worth altering my code, or should I just leave it the way it was since it was working?
I posted my full .php file in my first post in this thread, and the only changes I made to it are what we are discussing.
[edited by: ilPadrino at 9:52 am (utc) on July 25, 2007]
mysql_select_db ("db_name");
To select a table row(s)
$query_table1 = "SELECT * FROM tablename WHERE itemcode = 'xyz'";
$table1_result = mysql_query($query_table1) or die(mysql_error());
if (mysql_num_rows($table1_result) > 0) {
// echo the results here / or do whatever you want to do, send mail, etc.
}
[edited by: Gian04 at 10:34 am (utc) on July 25, 2007]
$con = mysql_connect("localhost","MyUserName","MyPassword") or die('Could not connect to server.' );
