Writing to SQL from PHP

marc2003 · 19 Oct 2007 at 16:17

that's normal to have plain text username/passwords for mysql_connect. as the file is php, only people who have access to the filesystem on the server can see it. you're not trying to supply the login details for the db through the form are you? :confused:

Butters · 19 Oct 2007 at 16:21

umm, I'm not sure.

The code above is an extract from my form-process.php which gets called from my enquiry.php as this:

Code:

<form id="enquiryform" action="form-process.php" method="POST">

<p><label for="name">Name:</label><input type="text" class="required" id="name" name="name" maxlength="60" /><span class="warning">*</span></p>

<p><label for="country">Country:</label>
<select id="country" name="country" tabindex="103">
<option value="United Kingdom" selected="selected">United Kingdom</option>
<option value="Other">Other</option>
</select></p>

<p><label for="telephone">Telephone:</label><input type="text" class="required" id="telephone" name="telephone" maxlength="30" /><span class="warning">*</span></p>

<p><label for="email">Email:</label><input type="text" class="email required" id="email" name="email" maxlength="100" /><span class="warning">*</span></p>

<p><label for="enquiry">Your enquiry:</label><textarea class="required" rows="4" cols="40" id="enquiry" name="comments" /></textarea><span class="warning">*</span></p>

<p><input type="submit" class="button" name="submit" value="Submit Enquiry" /></p>
</form>

Thats the HTML form (without all the CSS gubbins etc). so once submit is pressed it runs form-process.php and that does the emailing and the database inserting.

marc2003 · 19 Oct 2007 at 16:26

what you had was fine. leave the mysql username/password as text. you also need to look at validating user input though.

Butters · 19 Oct 2007 at 16:30

marc2003 said:
what you had was fine. leave the mysql username/password as text. you also need to look at validating user input though.

?????

I have this so far

Code:

<?php
if (!isset($_POST['submit']) || $_SERVER['REQUEST_METHOD'] 

!= "POST") {
    exit("<p>You did not press the submit button; this page 

should not be accessed directly.</p>");
} else {
    $exploits = 

"/(content-type|bcc:|cc:|document.cookie|onclick|onload|java

script|alert)/i";
    $profanity = 

"/(RUDE WORDS HERE)/i";
    $spamwords = 

"/(SPAMWORDS HERE)

/i";
    $bots = 

"/(Indy|Blaiz|Java|libwww-perl|Python|OutfoxBot|User-Agent|P

ycURL|AlphaServer)/i";

    if (preg_match($bots, $_SERVER['HTTP_USER_AGENT'])) {
        exit("<p>Known spam bots are not allowed.</p>");
    }
    foreach ($_POST as $key => $value) {
        $value = trim($value);

        if (empty($value)) {
            exit("<p>Empty fields are not allowed. Please go 

back and fill in the form.</p>");
        } elseif (preg_match($exploits, $value)) {
            exit("<p>Exploits/malicious scripting attributes 

aren't allowed.</p>");
        } elseif (preg_match($profanity, $value) || 

preg_match($spamwords, $value)) {
            exit("<p>That kind of language is not allowed 

through our form.</p>");
        }

        $_POST[$key] = stripslashes(strip_tags($value));
    }

    if 

(!ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*

(.[a-z]{2,6})$",strtolower($_POST['email']))) {
        exit("<p>That e-mail address is not valid, please 

use another.</p>");
    }

    $recipient = "me";
    $subject = "Contact From mydomain";

    $message = "You've received an enquiry from: \n";
    $message .= "Name: {$_POST['name']} \n";
    $message .= "E-mail: {$_POST['email']} \n";
    $message .= "Telephone: {$_POST['telephone']} \n";
    $message .= "Country: {$_POST['country']} \n";
    $message .= "Enquiry: {$_POST['comments']} \n";

    $headers = "From:  <$recipient> \n";
    $headers .= "Reply-To: <{$_POST['email']}>";

    if (mail($recipient,$subject,$message,$headers)) {
        header ("Location: thankyou.php");
    } else {
        header ("Location: opps.php");
    }
}

Thats above the php I just added for the SQL insertion.

Is that what you mean?

blighter · 19 Oct 2007 at 16:31

Thanks for all the help guys!

It's all working now.

http://ocuk.blighter.net/map

I'm going to give the main page a makeover, and will then launch it

Butters · 19 Oct 2007 at 16:33

blighter said:
Thanks for all the help guys!

It's all working now.

http://ocuk.blighter.net/map

I'm going to give the main page a makeover, and will then launch it

Cool, and sorry for the recent hijack blighter

marc2003 · 19 Oct 2007 at 16:34

Butters said:
Thats above the php I just added for the SQL insertion.

Is that what you mean?

yup, checking for empty fields and whatnot.

blighter · 19 Oct 2007 at 16:37

Butters said:
Cool, and sorry for the recent hijack blighter

No problem

And have added Sic, marc2003 and RobH to the credits page

Sic · 20 Oct 2007 at 12:43

blighter said:
No problem

And have added Sic, marc2003 and RobH to the credits page

I feel bad - I didn't exactly do anything, aside from suggest it! thanks for the mention though

goldilocks put us in the wrong place - can you delete her and I'll add us properly please?