need help with this code

buzzby

i have uploaded some code for you to look at. its a php form that passes the answers to a database and then autoresponds the user. or thats what it is supposed to do. can you take a look at it and tell me where i went wrong please.

here is the code
its a text file

here is the sql code
sql code in a text file

bubblenut

A bit difficult to answer really, seeing as you haven't bothered to actually tell us what the roblem is :rolleyes: but I can spot a few bits of bad coding which may be causing you trouble.

You're not validating the values which a re going tinto the database in any way shape or form (javascript validation doesn't count because it can be switched off, or the data can be sent from another source). This is very dangerous and should be changed eimediately. You should also be escaping each of the variables with [man]addslashes()[/man] or [man]mysql_escape_string()[/man]

HTH
Bubble

buzzby

sorry for the SHOGUNing. hadnt realised that i had done that. wont happen again.

anyway the problem is that once the form is completed what should happen is that a thank you message should come up saying 'thank you (name) for filling in this form. then the values that have been passed would be stored in the database. the second url (the viewgsdb.php) should be able to actually allow you to view what has been put into the database. all it shows is just the titles of the columns.

here is an example of how it should work

http://www.dcobbinah.co.uk/datadatabasebase/input.php

this is the online form that is linked to a database. It sends back a confirmation that you filled in the form. plus an email confirmation saying the same thing so you have more proof that you filled in the form

http://www.dcobbinah.co.uk/datadatabasebase/viewdb.php

this is the database on the net. You can see what you have inputted.

this is whati am trying to do with the 2 files that i uploaded.

once again sorry for the shotgunning. i hadnt realised i had done that until you alerted me to it

bubblenut

Have you put validation and escaping in there? That may well be all that the problem is.

I just checked out the link and it seems to work OK, I got a successfully message and my data was inserted into the database (sort of). You really do need validation in there though, I entered 1000000000 for my salary (honest, it's true 😉) but it says 2147483647 on the display page (so I know it's a signed integer) also I can put a negative salary in which, unless you're very silly, isn't possible. I notice you've put some kind of add slashes in there but it's not really enough, if I turn off javascript I can enter a completely empty form with no complaint.

HTH
Bubble

buzzby

the form that you were able to fill out is very very very ruff. it was an exercise to show that i can pull out information that was filled in in a form. but the actual form itself doesnt seem to work whatsoever. thats what i am having big trouble with. this url below

http://www.dcobbinah.co.uk/bd/php/getstartedform.php

is what i am having trouble with. there is no autoresponder and you cannot see what you have entered in the database. this is what i need help with

bubblenut

Try changing the name of the submit form field to "submit" instead of "Submit", if that does not work place a

print_r($_POST);

just before the line

if ($_POST['submit'])

HTH
Bubble

PS. But please, please don't forget my comments about validation. It is a serious problem with your form and it is impereative that it is fixed.

buzzby

i filled out the green form and still nothing. no successfully message there at all. it is this particular (green) form that i want the successfully message shown. on the little 4/5 field form it works. but this long form seems to have some sort of difficulty. i know about the validation you are talking about but i want to get thie form working then i can do the validation. the form isnt live at all. its not even going on the dcobbinah site. i am just testing to get it to work. please bear with me. the print_r thing didnt work at all. i fail to see why the small form worked but this big form isnt working

bubblenut

If print_r($_POST) didn't display anything then nothing got passed to the page via post. Take out the javascript redirect from the body onload otherwise you're just not going to get a chance to see the debuging output.

I've just gone back for another test and I'm pretty sure it's the case issue with your submit button, have you tried that yet? :rolleyes:

buzzby

i am struggling to find out how to go about validating and escaping my form. its rather long and i am lost already. you are saying that this is not the best form of validation. can i use a perl script to validate the form then redirect back to getstartedfor.pmp for the autoresponder?

bubblenut

Buzzby, you're starting to anoy me. Now, read my previous post. Have you changed the name of your submit form element so that the first letter is nolonger capitalized yet?

buzzby

i have just removed the javascript as you said and it works. so that means the javascript was interfearing with my php. i have also removed the print_r parameter. it works fine. now i gotta sort out the retrieving info in my viewdb file. and then i am going to look at the validation.

sorry i aint got back to you. pls be patient with me. i am not taking the piss or trying to string you along. i am a novice and am learning all the time.

thank you so very much for your time and knowledge

buzzby

well thanks to you B. i can now view my data that i have entered on the form. thank you for your patience with me. i am now going to look at validation and escaping. well actually i have looked at the escaping and i really dont understand it much. all the php coding is at the very start of the form and nowhere in the html body of the form so i am not sure how to use it. as for validation, can i use an external script for it?

bubblenut

No need, it's really very simple when you know how. Here's a couple of examples using your original source as a framework.

//extract($_REQUEST);
if ($_POST['submit'])
{
$user='someuser';
$host='localhost';
$password='somepassword';
$database="somedatabasename";
$connection=mysql_connect($host,$user,$password) or die ("could not connect to server");
$db=mysql_select_db($database,$connection);
//Before you insert into the database just check all the fields have 
//been filled in properly (if at all)

//First we initialize our error message variable ($err) to an empty array 
//so that we can test to see if there are any errors later
$err=array();

//Now we can go through the variables one by one checking if they are OK
//This part can be compacted but I want to keep things simple
//Let's say the name must not be empty and can only contain letters and whitespace
if(!isset($_POST['name']) || $_POST['name']=='') {
	$err[]='You must provide a name';
} elseif(!preg_match('/^[a-zA-Z\s]+$/',$_POST['name'])) { 
	//This is a regular expression saying it must contain only letters and whitespace (\s)
	$err[]='The name field must consist of letters and whitespace only';
}
//Let's also say the email is compulsory and must be of the correct form
if(!isset($_POST['email']) || $_POST['email']=='') {
	$err[]='You must provide and email';
} elseif(!preg_match('/^.*?@.*\..{2,3}$/',$_POST['email'])) {
	//A very loose email regex, a little searching on this forum will
	//bring up many many more specific ones.
	$err[]='The email field does not appear to be in the correct format';
}

//Now, if you notice the first condition of each of those blocks is 
//essentially the same
//if(!isset($_POST['field_name']) || $_POST['field_name']) {
//	$err[]='You must provide a field_name';
//see?, This can therefore be grouped together into a loop.
$required_fields=array('name','email','contact_address','mobile','workhome_tel');
for($i=0;$i<count($required_fields);$i++) {
	if(!isset($_POST[$required_fields[$i]]) || $_POST[$required_fields[$i]]=='') {
		$err[]='You must provide a '.$_POST[$required_fields[$i]];
	}
}

//Once you have done the validation you will have a variable called $err which,
//if any errors occured will not be empty. So we test to see how many elements
//the $err array has in it to see if any errors occured
if(count($err)>0) {
	//there were errors, re-display the form with bad values highlighted or something like that
} else {
	//There were no errors so we can run the query
	//....

HTH
Bubble

buzzby

this is brilliant for the validation. i do not understand the escaping tho. is that tricky to do in my case? does the escaping happen in the php code or the html code. i am not sure. when you have time could you go thru it with me please.

much appreciated

buzzby

i have updated the database and changed some fields and now i am getting this message.

"column doesn't match value count at row 1"

i am so unsure as to what to do. i have looked at the database and the fields and they match. in my database i have ID on row 1 and NAME on row 2 (not in caps). why is this message coming up?

bubblenut

$escaped_string=addslashes($unescaped_string);
//or
$escaped_string=mysql_escape_strin($unescaped_string);

It's really that simple! Far simpler than the validation.

HTH
Bubble

buzzby

and are these reserved words that will apply to the whole php file?

did u see my prev post about the 'column not matching value count at row 1' i am totally mystified by that.

bubblenut

Originally posted by buzzby
and are these reserved words that will apply to the whole php file?

did u see my prev post about the 'column not matching value count at row 1' i am totally mystified by that.

Because the the number of fields you've given does not match the number of values you're trying to put in them. Go over it again and check it's all correct.

Originally posted by buzzby
and are these reserved words that will apply to the whole php file?

Are what reserved words? if you mean $escaped_string and $unescaped_string then no, they are not, these are just example variables I used with descriptive names to help you understand (obviously went of course there😉). You have some unescaped text in the variable $unescaped_text, or $bob, the name of the variable doesn't matter. You run [man]addslashes()[/man] and put the result into another variable (or even back into the same variable) and then all the dangerous characters, like apostrophes, double quotes etc are escaped with backslashes.

That's it.
Bubble

buzzby

maybe i am missing something here but........

i implemented this code and nothing happened.

$user="";
$host="";
$password="";
$database="";
$connection=mysql_connect($host,$user,$password) or die ("could not connect to server");
$db=mysql_select_db($database,$connection);
$err=array();
$required_fields=array('name','email','contactaddress','mobile','workhometel'); 
for($i=0;$i<count($required_fields);$i++) { 
    if(!isset($_POST[$required_fields[$i]]) || $_POST[$required_fields[$i]]=='') { 
        $err[]='You must provide a '.$_POST[$required_fields[$i]]; 
    } 
}

my understanding of this code is that if certain fields are not filled in then it will chuck this message up stating that the user should fill in these fields before progression can be made. am i right or am i missing the point?

clarification on this would be brilliant.