I am trying to make a sign up form to my website so I can send newsletters out. I have been testing it on WAMP and it works ok, however I am worried that it will be open to hackers/security problems.
Also how can I include my MySql password and username from a different file (assuming this is necessary), I tried making a connection.php and including it with <?php include (“connection.php”) ?> but couldn’t get it to work.
Any advice would be appreciated.
<?php
if (isset($_POST['submit'])) {
$email = $_POST['email'];
if (empty($email)) {
echo 'Please fill out all of the email information.<br />';
}
}
if (!empty($email)) {
$dbc = mysqli_connect('localhost', 'username', 'password', 'newsletter')
or die('Error connecting to MySQL server.');
$query = "INSERT INTO emails (email) VALUES ('$email')";
mysqli_query($dbc, $query)
or die ('Data not inserted.');
echo '<span class="echo-msg">Your email has been added.</span>';
mysqli_close($dbc);
}
?>
That code would allowa spambot to add every imaginable email address and billions of garbage text strings to your database before having to compete for resources with the next spambot that tries to do the same thing.
Also the include statement doesn’t need to be wrapped in its own <?php ?> tag - just place it in the code above where you use those values inside the tag you already have.
Thanks for the response. I just realised that any string can be added without actually needing to be an email, so I need to add a condition that checks for an @ symbol?
Also, I need some kind of verification like Captcha?
So I have the connection.php which contains…
<?php
function MyConnection()
{
mysqli_connect('localhost', 'username', 'password', 'newsletter')
or die('Error connecting to MySQL server.');
}
?>
and then before the form I have…
<?php
if (isset($_POST['submit'])) {
$email = $_POST['email'];
if (empty($email)) {
echo 'Please fill out all of the email information.<br />';
}
}
if (!empty($email)) {
include ("connection.php");
$dbc = MyConnection();
$query = "INSERT INTO emails (email) VALUES ('$email')";
mysqli_query($dbc, $query)
or die ('Data not inserted.');
echo '<span class="echo-msg">Your email has been added.</span>';
mysqli_close($dbc);
}
?>
But it still doesn’t work like this, I get this error " Fatal error: Call to undefined function MyConnection() in E:\Program Files\wamp\www\index.php on line 81"
Since you are using PHP you can validate that it is an email address using the email validate filter - that way it can do proper email address validation instead of allowing a@b@c@d@e and other similar nonsense that contains an @. See http://au2.php.net/manual/en/filter.filters.validate.php
Are you sure that the MyConnection function is defined inside connection.php and that connection.php is in the same folder as the script you are including it in?
Ok, Thanks. I added filter_verification_email and also got the external connection to work(yes it was in wrong folder ).
Just want to double check all looks ok.
Also how do I stop people from navigating to my connection.php to retrieve database password etc?
Thanks alot for the help.
<?php
if (isset($_POST['submit'])) {
$email = $_POST['email'];
if (empty($email)) {
echo 'Please fill out all of the email information.<br />';
}
}
if (!empty($email)) {
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
include ("library/config/connection.php");
$query = "INSERT INTO emails (email) VALUES ('$email')";
mysqli_query($dbc, $query)
or die ('Data not inserted.');
echo '<span class="echo-msg">Your email has been added.</span>';
mysqli_close($dbc);
} else {
echo '<span class="echo-msg">Please enter a valid email address.</span>';
}
}
?>
In the connection file …
<?php
$dbc = mysqli_connect('localhost', 'username', 'password', 'newsletter')
or die('Error connecting to MySQL server.');
?>
People won’t be able to read the password, as the PHP is executed before anything is output to the browser.
So if they try to open /library/config/connection.php, they’ll just see a blank page (or an error message if the connection couldn’t be made).
).