i wrote a relatively simple but usable php query logging software a couple of years back and my setup was "plain vanilla" where a form, with a POST method has a separate page that processes the form like below
1) input form displays with a submit button that calls process-form.php
2) process-form.php then processes the form (e.g. enters the data onto a database)
3) process-form.php displays a message if everything is fine or not.
now, when i go through some php tutorials, they are teaching having the form submit upon itself by using $_SERVER
<?php
//use the $_SERVER function to decipher if the POST method has been triggered
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = $_POST["name"];
$email = $_POST["email"];
$message = $_POST["message"];
//TODO: Send email, etc.
}
?>
i can see the benefits of of this method as the code remains compact as you just have to go to 1 page only instead of going to other pages if you need to fix something. Is this the prevalent method now? just asking as i am trying to learn. thank you!
You can use isset() or sizeof() or empty()
if (isset($_POST))
{
$name = $_POST["name"];
$email = $_POST["email"];
$message = $_POST["message"];
//TODO: Send email, etc.
}
OR
if (sizeof($_POST) > 0)
{
$name = $_POST["name"];
$email = $_POST["email"];
$message = $_POST["message"];
//TODO: Send email, etc.
}
OR
if (!empty($_POST))
{
$name = $_POST["name"];
$email = $_POST["email"];
$message = $_POST["message"];
//TODO: Send email, etc.
}
Related
I'm trying to make the emails pass validation by using filter_var. However, I am not sure how to prevent the script from processing the form data to my database if the email is not valid.
I have
$email = $_POST['email'];
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo("$email is a valid email address");
} else {
echo("$email is not a valid email address");
exit();
}
the email obviously comes from what was entered in by the user and is in the $_POST variable. The script DOES show the email as valid or invalid, however it STILL processes the script and places the form data into my database. I thought that putting "exit()" would be the solution to this, or the proper way to handle when it's not valid. It simply opens a new page where the echo print shows.
What am I missing or doing wrong? Ideally I would like the form field to highlight and give the user some indication that they've entered in an incorrectly formatted email address (although I know that is a different topic and somewhat a bells and whistles type of thing), but I certainly do not want to allow the script to process the data into my database.
The answer lies in where the validation code was placed. Instead of placing it RIGHT AFTER the posted variables and before the SQL insertion code, I put it at the very end of the script. So the posted data went into the database before they can be validated.
So now, I have (which works)
$name = $_POST['name'];
$email = $_POST['email'];
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo("$email is not a valid email address");
exit();
} else {
$msg_to_user = '<br /><br /><h4>Thanks ' . $name . ', we will send you news when appropriate. Take care!</font></h4>';
$name = "";
$email = "";
}
// THE SQL SELECT STATEMENT TO ENSURE NO DUPLICATE EMAIL AND THEN THE INSERT STATEMENT TO PUT THE DATA IN THE DATABASE COMES AFTER THE CODE ABOVE
I want to check all my signup fiels to be validate in php but it seems it not take other validation except email validation. Please have a look so that can help me to bug my errors.
Thank you.
Here its my signup process...
if($_POST['action']=="signup")
{
$name = mysqli_real_escape_string($connection,$_POST['name']);
$email = mysqli_real_escape_string($connection,$_POST['email']);
$bankid = mysqli_real_escape_string($connection,$_POST['bankid']);
$phone = mysqli_real_escape_string($connection,$_POST['phone']);
$password = mysqli_real_escape_string($connection,$_POST['password']);
$query = "SELECT email FROM users where email='".$email."'";
$result = mysqli_query($connection,$query);
$numResults = mysqli_num_rows($result);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) // Validate email address
{
$message = "E - post Redan also!!";
}
elseif($numResults>=1)
{
$message = $email." E-post redan finns!!";
}
else
{
mysqli_query($connection,"insert into users(name,email,bankid,phone,password) values('".$name."','".$email."','".$bankid."','".$phone."','".md5($password)."')");
$message = "Registrera framgångsrikt!!";
}
}
If I understand you correctly, you want to be able to validate all the fields of your sign up form on submit, correct?
There are various examples online of using filter_var in PHP - a bit of Googling will get you the answers.
I would recommend using a validation library that's built to help you make sure your code is secure. An example of such library is: https://github.com/Wixel/GUMP
If you have a look at the source code for GUMP, there are more examples using filter_var:
https://github.com/Wixel/GUMP/blob/master/gump.class.php#L878
filter_var($value, FILTER_SANITIZE_NUMBER_INT)
filter_var($value, FILTER_SANITIZE_SPECIAL_CHARS);
// etc
I've successfully created a multi page php form that uploads all the data to a mysql database. Now I'm trying to get this mail function to work with it, so we can get an email each time someone successfully completes the form.
I'm getting the email now but not the information from the form.
I'm not sure what I'm doing wrong, I'm guessing it's something to do with SESSION but I'm having a hard time actually finding a solution.
Here's the code I'm working with:
<?php
session_start();
foreach ($_POST as $key => $value) {
$_SESSION['post'][$key] = $value;
}
extract($_SESSION['post']); // Function to extract array
$connection = mysql_connect("mysql.database.com", "r-----a", "An-----1!");
$db = mysql_select_db("---------", $connection); // Storing values in database.
$query = mysql_query("insert into detail (whenadded,yourname,reservationid,reservationname,property,eta,cellphone,email,signature,petcontract) values(Now(),'$yourname','$reservationid','$reservationname','$property','$eta','$cellphone','$email','$signature','$petcontract')", $connection);
/* Set e-mail recipient */
$myemail = "blahblahblah#retreatia.com";
$yourname = ($_POST['yourname']);
$reservationid = ($_POST['reservationid']);
$reservationname = ($_POST['reservationname']);
$property = ($_POST['property']);
$eta = ($_POST['eta']);
$cellphone = ($_POST['cellphone']);
$email = ($_POST['email']);
$petcontract = ($_POST['petcontract']);
/* Let's prepare the message for the e-mail */
$subject = "$yourname has checked in using Express Checkin!";
$message = "
Information of Express Checkin User:
Name: $yourname
Reservation ID: $reservationid
Name on Reservation: $reservationname
Property: $property
Cell Phone: $cellphone
Email: $email
ETA: $eta
Pet Contract: $petcontract
";
/* Send the message using mail() function */
mail($myemail, $subject, $message);
if ($query) {
echo '<div class="absolutecenter boxshadows"><img src="../img/thankyoupage.png" class="img-responsive"></div>';
} else {
echo '<p><span>Form Submission Failed!</span></p>';
}
unset($_SESSION['post']); // Destroying session
?>
Also the form is populating all fields in the database successfully and produces the img file from the echo...
Since you did this:
extract($_SESSION['post']); // Function to extract array.
... this block is unnecessary:
$yourname = ($_POST['yourname']);
$reservationid = ($_POST['reservationid']);
$reservationname = ($_POST['reservationname']);
$property = ($_POST['property']);
$eta = ($_POST['eta']);
$cellphone = ($_POST['cellphone']);
$email = ($_POST['email']);
$petcontract = ($_POST['petcontract']);
In fact, it's probably why your variables aren't populating. They're getting overwritten with empty values since $_POST doesn't contain values from previous pages.
Per the instructions (https://developers.google.com/appengine/docs/php/mail/), I'm expecting that when users send email to a configured email address, my designated script will get invoked with POST fields containing the data from the email. I have gotten it set up so that my script is being invoked BUT ... the $_POST array is empty. (The "else" block below is getting executed.)
The code:
if ($_POST) {
$email = $_POST['sender'];
$content = $_POST['original'];
$subject = $_POST['subject'];
}
else {
syslog(LOG_ERR, "[handle_incoming_email.php] EMPTY POST fields... Bailing.");
return;
}
Any ideas on why this might be?
Thanks so much.
Liz
I did a webpage for a client that involved a series of text boxes asking for specific information such as a person's name, e-mail address, company, etc. Along with a button that would e-mail the information to my client. Whenever I tested the button it seemed to work perfectly, I uploaded the page and thought I was done. But, the other day my client got this email from the site:
Name: rfhopzdgmx rfhopzdgmx
Email: envlxw#lnlnsm.com
Company: zUDXatAfoDvQrdH
Mailing Address:
AaSsXklqpHIsoCNcei
gXsimMPRBYZqq
vGLvZraZNdpOAV, ChsmuibE PoKzaSCubXPRI
Home Phone: CIJbIfjMfjIaTqAlD
Work Phone: JFLZBOvru
Cell Phone: XlFJTTFGiTTiiFQfy
Fax: UEJMOVZodWPkKxew
Comments:
sPvSCE hgetwoguderu,*
[url=http://atyktjlxcznl.com/]atyktjlxcznl[/url],
[link=http://nudvfcehwpyg.com/]nudvfcehwpyg[/link], http://lvvwkbzbhnzp.com/
Note: The * line contained HTML link code, I just don't know how to get this site to show it.
Here is the PHP code in the site for the e-mail button.
<?php
//This Sends A Formatted Text Email Using The Text Boxes
if ($_POST['submit']){
//This Gets The Form Data
$fname = $_POST['fName'];
$lname = $_POST['lName'];
$email = $_POST['email'];
$company = $_POST['co'];
$address1 = $_POST['address1'];
$address2 = $_POST['address2'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$homep = $_POST['homeP'];
$workp = $_POST['workP'];
$cellp = $_POST['cellP'];
$fax = $_POST['fax'];
$comments = $_POST['txaOutputField'];
//echo "<script language = 'javascript'>alert('YAY');</script>";
if ($fname && $lname && $email && $comments){ //Check If Required Fields Are Filled
//This Sets The SMTP Configuration In php.ini
ini_set("SMTP", "smtp.2ndsourcewire.com");
//This Replaces Any Blank Fields With 'None's
if ($company == ""){
$company = "None";
}
if ($address1 == ""){
$address1 = "None";
}
if ($city == ""){
$city = "None";
}
if ($state == ""){
$state = "None";
}
if ($zip == ""){
$zip = "None";
}
if ($homep == ""){
$homep = "None";
}
if ($workp == ""){
$workp = "None";
}
if ($cellp == ""){
$cellp = "None";
}
if ($fax == ""){
$fax = "None";
}
//This Creates The Variables Necessary For The Email
$to = "CLIENT EMAIL WHICH I'M CENSORING";
$subject = "Email from 2ndSourceWire.com";
$from = "From: noreply#2ndsourcewire.com";
$secondEmail = "MY EMAIL WHICH I'M ALSO CENSORING";
if ($address2 == ""){
$body = "Name: $fname $lname\n".
"Email: $email\n".
"Company: $company\n\n".
"Mailing Address:\n".
"$address1\n".
"$city, $state $zip\n\n".
"Home Phone: $homep\n".
"Work Phone: $workp\n".
"Cell Phone: $cellp\n".
"Fax: $fax\n\n".
"Comments:\n".
"$comments";
}
else {
$body = "Name: $fname $lname\n".
"Email: $email\n".
"Company: $company\n\n".
"Mailing Address:\n".
"$address1\n".
"$address2\n".
"$city, $state $zip\n\n".
"Home Phone: $homep\n".
"Work Phone: $workp\n".
"Cell Phone: $cellp\n".
"Fax: $fax\n\n".
"Comments:\n".
"$comments";
}
//This Sends The Email
mail($to, $subject, $body, $from);
mail($secondEmail, $subject, $body, $from);
echo "<script language = 'javascript'>alert('The email was sent successfully.');</script>";
}
else {
//The Required Fields Are Not Filled
echo "<script language = 'javascript'>alert('Please fill your first name, last name, email address, and your comment or question.');</script>";
}
}
?>
I'm a little dumbfounded on how this happened, the client mentioned a couple e-mails of this, so I don't think it is a random glitch. Also, the e-mail address was formatted like an e-mail address, so someone or some program was interpreting the labels next to each text box. I also noticed that the first and last names entered are the same word, even though they were in different text boxes, I'm thinking its some spam program, but wouldn't they try to advertise something and make money, rather than just spouting out random text? Also, the comments section makes no sense to me at all, the links goto nowhere and they're all perfectly formatted, a random person just screwing around wouldn't know those tags, and a programmer doing it wouldn't bother with it, but also neither would a program.
I have no idea what caused this or how to fix it, I'm drawing a blank here. Anyone have any ideas?
A spammer/bot entered duff data into your page and you dutifully sent it on in your application.
Why do you think this is a mystery?
add a CAPTCHA to stop it happening. If you dont what to write your own you can use reCAPTCHA
even a simple question like "are you a human Y/n?" or "2+2?" will stop the bot,
also using some js to set an hidden value on submit and check for that on the server.
some validation on $email and $phone would be nice to have.
Instead of making people try to read CAPTCHAs, I like to have four text boxes in a row and ask the user to check two random ones (e.g. "Please check the first and third boxes") and make sure those are the only two checked in the validation.