Help! Data from web form in to the database only works 80% of time.

cnice

Hi everyone, just wanted to first say that these forums have been of tremendous help to us. Now onto the problem.

Basically the problem is about 1 or 2 out of every 10 submissions won't work. The person will get some kind of wierd syntax error, and the email that is sent from the script has all blank fields. I don't know how this is possible since we use javascript to check that most of the fields aren't empty. We tried various versions of netscape and explorer and different operating systems, only one I am thinking might be a problem is OS X since we haven't tested that yet. But we can't replicate the error and it always works for us (isn't that always the case? 🙂).

All we're trying to do is collect the data from a form and store it into a mysql database, then with php we forward some of the information to a shopping cart checkout. We also send out an email with the data.

Here is a link to the webform:

http://www.thebark.com/us/resource_guide_form_paynow.php

Below is the actual phpscript.

<?php

// server credentials
$server = "localhost";
$user = "XXXXXX";
$password = "XXXXXX";
$database = "TheBark2003ResourceGuide";

// Connect to Server
mysql_connect($server, $user, $password) or die(mysql_error());

// Select Database
mysql_select_db($database) or die(mysql_error());

// If using POST
extract($_POST);

$string = "INSERT INTO advertisers (companyName, contactName, addressLine1, addr
essLine2, city, state, zip, country, phone, fax, email, website, description, ca
tegoryListing, topProducts, alpha, customerRep, date)"
."VALUES('".cleanup($companyName)."', '".cleanup($contactName)."', '".cleanup($a
ddressLine1)."', '".cleanup($addressLine2)."', '".cleanup($city)."', '".cleanup(
$state)."', '".cleanup($zip)."', '".cleanup($country)."', '".cleanup($phone)."',
 '".cleanup($fax)."', '".cleanup($email)."', '".cleanup($website)."', '".cleanup
($description)."', '".cleanup($categoryListing)."', '".cleanup($topProducts)."',
 '".cleanup($alpha)."', '".cleanup($customerRep)."', NOW())";


$query = mysql_query($string) or die(mysql_error());

// Send Email!
// the reciever
$to = 'XXXXXXX@thebark.com';

// the subject of the mail
$subject = "$companyName added to advertiser database";

// the message
$msg = "'$companyName', '$contactName', '$addressLine1',
'$addressLine2', '$city', '$state',
'$zip', '$country', '$phone',
'$fax', '$email', '$website',
'$description', '$categoryListing', '$topProducts', '$alpha', '$customerRep'";

// the email headers
$headers = "Content-Type: text/html\r\n";
$headers .= "From: [email]bark-resourceguide@thebark.com[/email]\r\n";

// send the email
mail($to,$subject,$msg,$headers);

function cleanup ($value="")
{
        $value = htmlspecialchars($value);
        return $value;
}

?>


<html>
<head>
<title>Heading to secure payment...</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<SCRIPT LANGUAGE="JavaScript"><!--
setTimeout('document.malsubmit.submit()',750); // 1000 = 1 sec
//--></SCRIPT>

</head>

<body bgcolor="#FFFFFF" text="#000000">
<font face="Verdana, Arial, Helvetica, sans-serif">Heading to secure
payment...
</font>
<FORM METHOD="POST" ACTION="http://ww6.aitsafe.com/cf/pay.cfm" name="malsubmit">
<INPUT TYPE="HIDDEN" NAME="userid" VALUE="XXXXXX">
<INPUT TYPE="HIDDEN" NAME="product1" VALUE="The Bark 2003 Resource Guide Adverti
sement ">
<INPUT TYPE="HIDDEN" NAME="price1" VALUE="150.00">
<INPUT TYPE="HIDDEN" NAME="qty1" VALUE="1">


<INPUT TYPE="HIDDEN" NAME="inv_name" VALUE="<?php echo $HTTP_POST_VARS['contactN
ame']; ?>">
<INPUT TYPE="HIDDEN" NAME="inv_company" VALUE="<?php echo $HTTP_POST_VARS['compa
nyName'];
?>">
<INPUT TYPE="HIDDEN" NAME="inv_addr1" VALUE="<?php echo $HTTP_POST_VARS['address
Line1'];
?>">
<INPUT TYPE="HIDDEN" NAME="inv_addr2" VALUE="<?php echo $HTTP_POST_VARS['city'];
 ?>">
<INPUT TYPE="HIDDEN" NAME="inv_state" VALUE="<?php echo $HTTP_POST_VARS['state']
; ?>">
<INPUT TYPE="HIDDEN" NAME="inv_zip" VALUE="<?php echo $HTTP_POST_VARS['zip']; ?>
">
<INPUT TYPE="HIDDEN" NAME="email" VALUE="<?php echo $HTTP_POST_VARS['email']; ?>
">
<INPUT TYPE="HIDDEN" NAME="tel" VALUE="<?php echo $HTTP_POST_VARS['phone']; ?>">
<INPUT TYPE="HIDDEN" NAME="inv_country" VALUE="<?php echo $HTTP_POST_VARS['count
ry']; ?>">
<INPUT TYPE="HIDDEN" NAME="fax" VALUE="<?php echo $HTTP_POST_VARS['fax']; ?>">



</FORM>

</body>
</html>

My employer is getting increasingly unhappy and is ready to scrap the whole system soon if we can't get it work. Also here is a copy of the field definition list:

companyName varchar(30) No

contactName varchar(30) Yes NULL

addressLine1 varchar(45) Yes NULL

addressLine2 varchar(45) Yes NULL

city varchar(30) Yes NULL

state varchar(30) Yes NULL

zip varchar(10) Yes NULL

country varchar(30) Yes NULL

phone varchar(30) Yes NULL

fax varchar(30) Yes NULL

email varchar(45) No

website varchar(45) Yes NULL

description varchar(250) Yes NULL

categoryListing varchar(45) Yes NULL

topProducts varchar(30) Yes NULL

alpha varchar(5) Yes NULL

customerRep varchar(30) Yes NULL

date varchar(30) Yes NULL

id tinyint(4) No 0 auto_increment

Any help will be greatly appreciated! Also is there anyway to record the person's browser and operating system and save that to a log or something?

Christian

leatherback

Hi,

Is there any checkup routine somewhere which will check that no quote & double quotes are in the data submitted? This will mess-up your insert query!

drawmack

<?php
$string = "INSERT INTO advertisers (companyName, contactName, addressLine1, addr
essLine2, city, state, zip, country, phone, fax, email, website, description, ca
tegoryListing, topProducts, alpha, customerRep, date)"
."VALUES('".cleanup($companyName)."', '".cleanup($contactName)."', '".cleanup($a
ddressLine1)."', '".cleanup($addressLine2)."', '".cleanup($city)."', '".cleanup(
$state)."', '".cleanup($zip)."', '".cleanup($country)."', '".cleanup($phone)."',
 '".cleanup($fax)."', '".cleanup($email)."', '".cleanup($website)."', '".cleanup
($description)."', '".cleanup($categoryListing)."', '".cleanup($topProducts)."',
 '".cleanup($alpha)."', '".cleanup($customerRep)."', NOW())";

this shouldn't work at all, date is a reserved word in mysql. Change the field name to something like order_date and see if that clears it up.

cnice

Thanks for the reponses guys. I changed the date field to order_date and am still trying to figure out a way to remove the double and single quotes. I think str_replace() would work but not sure exactly how to implement it easily.

drawmack

or http://www.php.net/addslashes

cnice

Alrighty, I added the addslashes function in. Seems to be working good, I'll keep my fingers crossed over the next week and hopefully we won't have any wierd blank entries or wierd errors. Thanks so much for your help guys. 😃 😃

drawmack

remember that is you use addslashes on a databaser write you have to use stripslashes on a database read.