Stupid HTML / PHP contact form! Gaaahhh

Django x2 · 5 Aug 2015 at 22:45

Guys, this is obviously just a dumb error but my brain is too tired to see it now.
Getting this when submitting:

Parse error: syntax error, unexpected T_STRING in /var/sites/b/blackhawkuav.co.uk/public_html/ContactFormHandler1.php on line 31

Form.html looks like this:

PHP:

<form action="ContactFormHandler1.php" method="post">
        <table>
            <tr>
                <td>
                    Your Name:
                </td>
                <td>
                    <input type="text" id="Name" name="Name" />
                </td>
            </tr>
            <tr>
                <td>
                    Your Email:
                </td>
                <td>
                    <input type="text" id="Email" name="Email" />
                </td>
            </tr>
            <tr>
                <td>
                    Your Phone:
                </td>
                <td>
                    <input type="text" id="Phone" name="Phone">
                </td>
            </tr>
	<tr>
	<td>
	Your Message:
	</td>
	<td>
	<input type="textarea" id="Message" name="Message">
	</td>
	</tr>
            <tr>
                <td colspan="2" style="text-align: center;">
                    <input type="submit" id="submit" value="Contact Me!" />
                    <input type="reset" id="reset" value="Start Over!" />
                </td>
            </tr>
        </table>
    </form>

and contactformhandler1.php looks like this

PHP:

<?php
    // Grab our POSTed form values

    $contactName = $_POST["Name"];
    $contactEmail = $_POST["Email"];
    $contactPhone = $_POST["Phone"];
 $contactMessage = $_POST["Message"];
 
    // Connect to our DB with mysql_connect
    $sql_connection = mysql_connect("localhost", "root", "root");
 
    mysql_select_db("contacts_db", $sql_connection);
 
    $sql = "INSERT INTO contacts (
                ContactName,
                ContactEmail,
                ContactPhone,
		ContactMessage,
                ContactDate
            )
            VALUES (
                '$contactName',
                '$contactEmail',
                '$contactPhone',
		'$contactMessage',
                NOW()
            )"
 
    mysql_query($sql, $sql_connection);
 
    mysql_close($sql_connection);
?>

I know, I know, there's probably slicker ways of doing this, but just getting a handle on the basics.

What's wrong here?

Longbow · 5 Aug 2015 at 22:59

At a quick glance, you've forgot the ; at the end of the $sql variable, line 27.

However the script is really bad as it's open to SQL injection. You should be using prepared statements instead.

I'll post more on this tomorrow.

Django x2 · 5 Aug 2015 at 23:00

Ahh cool, Thanks. That would be REALLy helpful

Django x2 · 6 Aug 2015 at 13:24

Hi Longbow, sorry to ask, have you had chance to look at this further?

Thanks

AHarvey · 6 Aug 2015 at 13:37

just a quick observation:

Firstly, mysql_select_db has be deprecated so you need to look into PDO or MySQLi. I found it hard to find decent noob friendly tutorials on PDO and how to use it etc.

http://www.thedevfiles.com/2014/08/moving-from-mysql-query-to-pdo/

Secondly, don't use tables for forms, it's for tabular data, use the html forms tags

Longbow · 6 Aug 2015 at 18:08

Django x2 said:
Hi Longbow, sorry to ask, have you had chance to look at this further?

Thanks

This is a basic example:

PHP:

// Making the connection, this will be at the top of your script.
$mysqli = new mysqli(DBSERVER, DBUSER, DBPASS, DBNAME);

// Adding data to the DB
$age = $_POST['age'];
$name = $_POST['name'];
		
$stmt = $mysqli->prepare("INSERT INTO `users` (age, name) VALUES (?, ?)");
$stmt->bind_param("is", $age, $name);
	
if ($stmt->execute()) {
	echo "Great success"
}


// Retrieving data from the DB
$id = $_POST[id];
	
$stmt = $mysqli->prepare("SELECT age, name FROM `user`	WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->bind_result($age, $name);
$stmt->fetch();
$stmt->close();

if (isset($age)) { echo "You are $age"; }

It's a bit long winded and something you're going to have to read up on. But write it to fit your site, if it doesn't work, post back.

By the way, for the first bind_param parameter, you use "i" if you're passing a number (integer) as a variable, "s" for strings, but you can use "s" for everything really.

You'll want to add some kind of error checking on there input though, to stop the database adding empty fields:

PHP:

if (!empty($_POST['name'])) {
// They'ye typed something
}
if (!empty($_POST['email']) && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) == true) {
// E-mail address is a valid format
}

touch · 6 Aug 2015 at 23:14

edit: i'm wrong - dont know php well enough