Use AJAX and PHP to Build your Mailing List

I’ve written a quick page with (very basic) security, that lists all of your current subscribers.

It was worth doing to save logging into phpMyAdmin each time I wanted to check this!

I’m a php/mysql novice so interested to hear your constructive criticism on this

<?php
/*
Author: 3stripe
URL: www.3stripe.net
An addition to the code for the article "Use Ajax and PHP to Build Your Mailing List"
by Aarron Walter (aarron@aarronwalter.com), which will list subscribers to your mailing list, and has some basic password protection to keep this data from prying eyes
http://www.sitepoint.com/article/use-ajax-php-build-mailing-list
*/
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <title>Who has signed up?</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  
<?php
// Define your username and password
$username = "insertyourusernamehere";
$password = "insertyourpasswordhere";
if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) {
?>


<!-- Login form -->
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <p><label for="txtUsername">Username:</label>
    <input type="text" title="Enter your Username" name="txtUsername" /></p>
    <p><label for="txtpassword">Password:</label>
    <input type="password" title="Enter your password" name="txtPassword" /></p>
    <p><input type="submit" name="Submit" value="Login" /></p>
</form>
<!-- Login form ends -->

<?php
}
else {
?>


<!-- Protected content -->
<p>Current subscribers:</p>
<?php
require_once("inc/dbConstants.php");
// Connect to database
$con = mysql_connect(DBHOST ,DBUSER, DBPASS);
mysql_select_db(DBNAME, $con);
// Query mailinglist table 
$result = mysql_query("SELECT * FROM mailinglist");
if(!$result) die("<h1>Query Failed :(</h2>");
echo "<ol>";

while($row = mysql_fetch_row($result)) {
	echo "<li>" . $row[1] . '</li>';
}

echo "</ol>";

?>

<!-- Protected content ends -->
<?php
}
?> 

  </body>
</html>

Very nice. Thank you very much for this. I have only one question though: When the address is stored, is it possible to clear the text field?

Thx in advance.

Cheers.

Beautifully written tutorial, thankyou for showing the in leads into AJAX. Although I think an error for duplicate addresses would be useful addition to the script. My next step I think will be to come up with a unsubscribe system.

Great. Now, is there an easy way to integrate a confirmation e-mail?

Does anyone have a method for allowing people to unsubscribe and to check for duplicates?

Thanks in advance.

SonomaTek, use this service in conjunction with this script: verticalresponse.com.

This is a great script.

Is it easy to prevent SQL injection attacks or is there no need? I don’t know anything about Ajax but i want to learn.

I think check for duplicate email addresses shouldn’t be to difficult…just got to check the databse before the insert and if email address exists display an error message

Is there any need to prevent against SQL injection attacks? I have been doing some reading about security and wandered if a malicious user could gain access to my database

Best way to protect your self against SQL Injection is to use Stored Procedures.

I have been looking at MySQL injection attacks and found a function on w3schools.

Would this be good for preventing SQL injection attacks with this form?

<?php
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }// Make a safe SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";mysql_query($sql);mysql_close($con);
?>

SUPERB EXAMPLE THANKS A TON

How about this

PHP Code:

$user = mysql_real_escape_string($_POST[‘user’]);
$pass = mysql_real_escape_string($_POST[‘pass’]);
$sql = “SELECT * FROM user WHERE username=‘$user’ AND password=‘$pass’”;

// Or use the quoteSmart() method from PEAR::DB
$user = $db->quoteSmart($_POST[‘user’]);
$pass = $db->quoteSmart($_POST[‘pass’]);
$sql = “SELECT * FROM user WHERE username=$user AND password=$pass”;

/* Note that the quoteSmart() method automatically
adds quotes around the value when it is needed,
so you do not need to put them directory into your
query. */

Well, I am just sharing my thoughts regarding this matter. Bye for now I am going to fix first a <a href=“http://www.discounthonparts.com/honda-axle-assembly/”>Honda axle assembly</a> for my car for the next race. I’ll visit this site daily and put to bookmark.

How about this

PHP Code:

$user = mysql_real_escape_string($_POST[‘user’]);
$pass = mysql_real_escape_string($_POST[‘pass’]);
$sql = “SELECT * FROM user WHERE username=‘$user’ AND password=‘$pass’”;

// Or use the quoteSmart() method from PEAR::DB
$user = $db->quoteSmart($_POST[‘user’]);
$pass = $db->quoteSmart($_POST[‘pass’]);
$sql = “SELECT * FROM user WHERE username=$user AND password=$pass”;

/* Note that the quoteSmart() method automatically
adds quotes around the value when it is needed,
so you do not need to put them directory into your
query. */

Well, I am just sharing my thoughts regarding this matter. Bye for now I am going to fix first a <a href=“http://www.discounthonparts.com/honda-axle-assembly/”>Honda axle assembly</a> for my car for the next race. I’ll visit this site daily.

How about this

PHP Code:

$user = mysql_real_escape_string($_POST[‘user’]);
$pass = mysql_real_escape_string($_POST[‘pass’]);
$sql = “SELECT * FROM user WHERE username=‘$user’ AND password=‘$pass’”;

// Or use the quoteSmart() method from PEAR::DB
$user = $db->quoteSmart($_POST[‘user’]);
$pass = $db->quoteSmart($_POST[‘pass’]);
$sql = “SELECT * FROM user WHERE username=$user AND password=$pass”;

/* Note that the quoteSmart() method automatically
adds quotes around the value when it is needed,
so you do not need to put them directory into your
query. */

Well, I am just sharing my thoughts regarding this matter. Bye for now I am going to fix first a <a href=“http://www.discounthonparts.com/honda-axle-assembly/”>Honda axle assembly</a> for my car for the next race. I’ll visit this site daily.

How about this

PHP Code:

$user = mysql_real_escape_string($_POST[‘user’]);
$pass = mysql_real_escape_string($_POST[‘pass’]);
$sql = “SELECT * FROM user WHERE username=‘$user’ AND password=‘$pass’”;

// Or use the quoteSmart() method from PEAR::DB
$user = $db->quoteSmart($_POST[‘user’]);
$pass = $db->quoteSmart($_POST[‘pass’]);
$sql = “SELECT * FROM user WHERE username=$user AND password=$pass”;

/* Note that the quoteSmart() method automatically
adds quotes around the value when it is needed,
so you do not need to put them directory into your
query. */

Well, I am just sharing my thoughts regarding this matter. Bye for now I am going to fix first a Honda axle assembly for my car for the next race. I’ll visit this site daily.

‘+’ is a valid character for e-mail addresses.
Please, fix your code.

Spectacular. It works great. Thanks!!

HI there,

well is -> ‘address=’ + escape($F(‘address’)) in PHP the variable $adress?

Greetings from Germany

Very nice, but could I not use a text link to submit the form? I’ve tried without success.

<A href=“” onClick=“document.forms[0].submit();”>Submit</A>

Pasquala - it’s not a good idea to use text links to submit forms as search engine spiders will trigger the form submission when crawling your site. Stick with form elements (button or input type=“submit”) then use CSS to style it as you like.