Trying to send php form to Email, Database and post to a page

hallartistry · May 11, 2013, 5:58am

Hi, so I’m trying to create camp registration form. This code is just for a test form until I can get it right. I have it to where it will send to the database and send to email, but now I am trying to get it to post the information on the confirmation page so the person registering can print it out for themselves. I found some code and tried piecing it in there, but it now just goes to a blank screen instead of the confirmation message that I have there. The confirmation message was showing up fine until I tried peicing in the code to echo the data.

Anyone know what I need to do? Also, is there security issues with the code I’m using?

Thanks!

&#65279;<html>
<head>
<title>Registration complete</title>
</head>

<body>
<?php
$con=mysqli_connect("localhost","username","password","database");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$sql="INSERT INTO camp_registration (first_name, last_name, sex, state)
VALUES
('$_POST[first_name]','$_POST[last_name]','$_POST[sex]','$_POST[state]')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "Your registration form has been submitted. Please click the Paypal button below to pay your camp fees.";

mysqli_close($con);

//Peiced in code for echoing entered data back onto page

if(array_key_exists("Submit", $_POST)){

    // loop through post data for form
    foreach($_POST as $key => $value){
        
        if(is_array($value)){
            
            foreach($value as $key2 => $value2){
                
                echo $key." = ".$value2."<br/>";
            }
            
        } else {
            
            echo $key." = ".$value."<br/>";
        }
    }          

     echo "<i>Submitted!</i>";

} else {





// Build the email (replace the address in the $to section with your own)

  $first_name = $_POST['first_name'];
  $email = $_POST['email'];
  $message = $_POST['message'];
  $last_name = $_POST['last_name'];
  $sex = $_POST['sex'];
  $state = $_POST['state'];

    $email_from = 'my@email.com';
 
    $email_subject = "New Camp Registration for $first_name $last_name";
 
    $email_body = "You have received a new camp registration from the user $first_name.\
".
                            "\
 First Name: $first_name \
 Last Name: $last_name \
 Sex: $sex \
 State: $state \
".

// Send the mail using PHPs mail() function

 
  $to = "hallartistry@higherfocusart.com";
 
  $headers = "From: $email_from \\r\
";
 
  $headers .= "Reply-To: $email \\r\
";
 
  mail($to,$email_subject,$email_body,$headers);
 


function IsInjected($str)
{
    $injections = array('(\
+)',
           '(\\r+)',
           '(\	+)',
           '(%0A+)',
           '(%0D+)',
           '(%08+)',
           '(%09+)'
           );
                
    $inject = join('|', $injections);
    $inject = "/$inject/i";
     
    if(preg_match($inject,$str))
    {
      return true;
    }
    else
    {
      return false;
    }
}
 
if(IsInjected($email))
{
    echo "Bad email value!";
    exit;
}

 
?> 
</body>
</html>

DarthGuido · May 11, 2013, 9:07am

You are using user input (the form values in the $_POST array) in a query without sanitizing them, so yes, there is a risk of sql injection.
If your foreach loop doesn’t output anything, you might want to check if you ever enter that loop. Are you sure you have a ‘Submit’ in your $_POST array? Do a var_dump($_POST); to check its contents.

hallartistry · May 11, 2013, 11:31pm

Thank you. I have worked around PHP for quite some time, but haven’t really dug into it until now, so I am pretty new at this. I thought that I had some sanitizing code in there, but maybe that is only for the sending to email part? Does each section need it’s own sanitize code or just the sql part?

I played around with the code last night and got it to somewhat work by taking out the very first line and the else at the end:

    // loop through post data for form
    foreach($_POST as $key => $value){
        
        if(is_array($value)){
            
            foreach($value as $key2 => $value2){
                
                echo $key." = ".$value2."<br/>";
            }
            
        } else {
            
            echo $key." = ".$value."<br/>";
        }
    }          

     echo "<i>Submitted!</i>";

}

That showed me the data when I submitted, but pulled up more than I wanted (BodyTag, fa, submit) and shows Last Name as last_name, etc…:

  first_name = Melissa
last_name = Hall
email = email@email.com
sex = female
state = idaho
BodyTag =
fa = sendmail
submit = Submit
Submitted!Your registration form has been submitted. Please click the Paypal button below to pay your camp fees.

So I’m wondering, would it be better to use some coding where I actually have to echo each thing separately instead of trying to get it to do the whole thing at once without me having to enter all of the form feilds (there are going to be quite a few feilds). Or is there a way to make this work and make it look nicer?

Thanks again!

hallartistry · May 12, 2013, 12:48am

Okay, I got it to work. Instead of what I had before as far as the echo, I found this and of course it is pretty simple I think this will give me more control over the way it looks when it outputs on the page anyway:

echo 'First Name: ' . htmlspecialchars($_POST["first_name"]) . ' ';

echo '<br>Last Name: ' . htmlspecialchars($_POST["last_name"]) . '';

This is fine right? It works, but I want to make sure this is the right way to go about it.

Thanks!

DarthGuido · May 12, 2013, 6:04am

That looks fine.

About the sql injection problem, please do a search in this forum (or google) on sql injection, mysqli and bound parameters, and you’ll find a lot of interesting stuff to read