<form action="process1.php" method="post" name="data" id="data"><table width="383" border="0" cellpadding="5" cellspacing="5"><caption align="top"><strong>About you</strong></caption><tr><td width="163">Your name</td><td width="185"><input name="yname"/></td></tr><tr><td>Your email</td><td><input name="ymail" /></td></tr><tr><td>Your phone</td><td><input name="yphone" /></td></tr></table><table border="0" cellspacing="5" cellpadding="5"><caption align="top"><strong>About the recipient</strong></caption><tr><td width="162">Company name</td><td><input name="cpname"/></td></tr><tr><td>Contact name</td><td><input name="ctname" length="25" /></td></tr><tr><td>Contact phone</td><td><input name="ctphone" /></td></tr><tr><td>Email</td><td><input name="email" /></td></tr></table><table border="0" cellspacing="5" cellpadding="5"><caption align="top"><strong>About the message</strong></caption><tr><td>Type of message</td><td><p><label><input type="radio" name="RadioGroup1" value="1" id="RadioGroup1_0" />
Few Appts</label><br /><label><input type="radio" name="RadioGroup1" value="2" id="RadioGroup1_1" />
Company Recruitment</label><br /></p></td></tr></table><table border="0" cellspacing="5" cellpadding="5"><caption align="top"><strong>About the session</strong></caption><tr><td>Session to promote</td><td><input name="session" /></td></tr><tr><td>Date of session</td><td><input name="date" id="date"><a href="javascript:NewCal('date','ddmmyyyy')"><img src="calendar/cal.gif" width="16" height="16" border="0" alt="Pick a date"></a></td></tr><tr><td><p>Any general notes <br /><span class="style3"><em>not for message</em></span><em></em></p></td><td><textarea name="comments" cols="25" rows="5" id="comments"></textarea></td></tr><tr><td><input type="reset" value="reset" /></td><td><input type="submit" value="send!" /></td></tr></table></form>
fairly straightforward.
The php looks like like this:
PHP Code:
<?php
//details sent from form
$yname=$_POST['yname'];
$ymail=$_POST['ymail'];
$yphone=$_POST['yphone'];
$cpname=$_POST['cpname'];
$ctname=$_POST['ctname'];
$ctphone=$_POST['ctphone'];
$email=$_POST['email'];
$type=$_POST['RadioGroup1'];
$session=$_POST['session'];
$date=$_POST['date'];
$notes=$_POST['notes'];
$to = $email;
$subject = "12 seconds";
//get file according to radio selection
$myFile = "header".$type.".txt";
$fh = fopen($myFile, 'r');
$theData = fread($fh, filesize($myFile));
fclose($fh);
error_reporting(E_ALL);
/*login to mysql*/
require_once 'mysql_login.php';
mysql_select_db("mktg",$cid);
/*create query*/
$sql = "INSERT INTO `data` (`date`, `yname`, `ymail`, `cpname`, `ctname`, `email`, `ctphone`, `msg_type`, `session`, `session_date`, `notes`) VALUES(NOW(),'$yname','$ymail','$cpname','$ctname','$email','$ctphone','$type','$session','$date','$notes')";
$result=mysql_query($sql, $cid) or die(mysql_error());
if (!mysql_query($sql, $cid)) {
echo 'Entered on database';
} else {
echo 'Please contact the help desk!';
}
?>
including your changes.
three issues come up:
first, my mistake - there are blank fields being added to the database. It does not include the info from the form, although the datetime column is being filled in by php
second, i'm struggling to get mysql to show what the error is
third, why does it enter two lines into mysql?
1 - have you checked the values are being correctly received by the processing script? What is the result of the folowing code placed at the top of process1.php
PHP Code:
echo '<pre>'; print_r($_POST); echo '</pre>';
2. It isn't showing you an error because there is no error to show. If the data is getting inserted the query is working.
3. Because you are calling the mysql_query() function twice. Replace
When debugging SQL echo the queries to the page (or log or mail them to yourself). Comment out the bit where you run them and copy them into a CLI (command line interface) like putty.exe. You'll see what is going to get run before running it so can carefully look through it to see any potential dangerous errors. You get the error direct from the SQL server as well which might be less cryptic then the one from the PHP function.
Renaming POST variables for no reason serves no purpose. It just means you don't know where the values came from and may not realize later in a script that the variable contains user inputted values and forget to sanitize correctly. Your statement is currently wide open to SQL injection.
Any information that comes from any where but your scripts (POST, GET, opens URLs etc) needs to be sanitized and validated. Even radio button and checkboxes. Any and all or your vulnerable to attack.
Anti Linux rants are usually the result of a lack of Linux experience, while anti Windows rants are usually a result of a lot of Windows experience.
Reply With Quote
Bookmarks