Hello I have yet another delima i need to figure out why the email is sending but the values are not showing up in the data base.

this is my table structure

CREATE TABLE IF NOT EXISTS fname (
fname text NOT NULL,
lname text NOT NULL,
email text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

and this is the script

<?php

// Receiving variables
$loanamt = addslashes($GET['loanamt']);
$fname = addslashes($GET['fname']);
$lname = addslashes($GET['lname']);
$email = addslashes($GET['email']);
$province = addslashes($GET['province']);
$postal = addslashes($GET['postal']);

$con = mysql_connect("localhost","test","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("zanzu_test", $con);

$sql="INSERT INTO fname (fname,lname,email)
VALUES
('$POST[fname]','$POST[lname]','$_POST[email]')";

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}

mysql_close($con);

$header = "From: $email\n"
. "Reply-To: $email\n";
$subject = "CashLoans.ca | Payday Loan Request";
$email_to = "dan@enviomedia.com";
$message = "loanamt: $loanamt\n"
. "fname: $fname\n"
. "lname: $lname\n"
. "email: $email\n"
. "province: $province\n"
. "postal: $postal\n";
mail($email_to, $subject ,$message ,$header ) ;

header("Location: http://www.autocarloans.ca/apply-online.html");

?>

my client wants to be able to insert the name and lastname and email in the database then send all variables to the email is there a way to make it spam friendly and no sql injections?

Thanks

Well you don't even bother checking to see what kind of input you have before inserting records or sending email. If someone just visits the page in a browser it'll create a blank db record and send an email.

You need to validate your input.

Is the database getting empty records? Or are no records at all being inserted?

no record is being inserted in the table i no i need to validate the form i am trying to get this to work first then validate.

What happens when you visit the page in a browser? Do you get an error? Does it redirect?

<?php

$link = @mysql_connect('localhost', 'database_user', 'password');
if (!$link)
{
die('Not connected : ' . mysql_error());
}

// make foo the current db
$db_selected = mysql_select_db('short_email', $link);
if (!$db_selected)
{
die ("Database not selected : " . mysql_error());
}

// Query
$query = sprintf("INSERT INTO fanme (fname , lname , email)
VALUES( '%s', '%s','%s',",
mysql_real_escape_string($fname),
mysql_real_escape_string($lname),
mysql_real_escape_string($email));

$loanamt = addslashes($GET['loanamt']);
$fname = addslashes($GET['fname']);
$lname = addslashes($GET['lname']);
$email = addslashes($GET['email']);
$province = addslashes($GET['province']);
$postal = addslashes($GET['postal']);

if(!mysql_query($query))
echo 'Query failed '.mysql_error();
exit();

$header = "From: $email\n"
. "Reply-To: $email\n";
$subject = "CashLoans.ca | Payday Loan Request";
$email_to = "dan@enviomedia.com";
$message = "loanamt: $loanamt\n"
. "fname: $fname\n"
. "lname: $lname\n"
. "email: $email\n"
. "province: $province\n"
. "postal: $postal\n";
mail($email_to, $subject ,$message ,$header ) ;
header("Location: http://www.shorttermloans.ca/apply-online.html");
?>

and now its giving me no database selected but it is from what i see ?

It's very good that you've added the error check for the mysql_select_db statement. Is there an error?

What happens when you visit the page in a browser?

Database not selected : Access denied for user 'short_email'@'localhost' to database 'short_email'

Well there's your problem. Good work adding that error report, eh?

The user you are using to connect with doesn't have permission to access the table you want to access. You'll need to use some other user that does have permission or you'll need to grant permission to the user you are currently using.

ok now i have the user right but it shows this now.

Query failed You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2

You have a trailing comma in your sql. Remove the comma after the third '&#37;s'

Parse error: syntax error, unexpected T_STRING in /home/short/public_html/results.php on line 22

when i took the comma out...

You took the wrong comma out.

<?php
// Receiving variables

$link = @mysql_connect('localhost', 'short', 'password');
if (!$link)
{
die('Not connected : ' . mysql_error());
}

// make foo the current db
$db_selected = mysql_select_db('short_email', $link);
if (!$db_selected)
{
die ("Database not selected : " . mysql_error());
}

// Query
$query = sprintf("INSERT INTO fanme (fname , lname , email)
VALUES( '&#37;s', '%s','%s'",
mysql_real_escape_string($fname),
mysql_real_escape_string($lname),
mysql_real_escape_string($email));

$loanamt = addslashes($GET['loanamt']);
$fname = addslashes($GET['fname']);
$lname = addslashes($GET['lname']);
$email = addslashes($GET['email']);
$province = addslashes($GET['province']);
$postal = addslashes($GET['postal']);

if(!mysql_query($query))
echo 'Query failed '.mysql_error();
exit();

$header = "From: $email\n"
. "Reply-To: $email\n";
$subject = "CashLoans.ca | Payday Loan Request";
$email_to = "dan@enviomedia.com";
$message = "loanamt: $loanamt\n"
. "fname: $fname\n"
. "lname: $lname\n"
. "email: $email\n"
. "province: $province\n"
. "postal: $postal\n";
mail($email_to, $subject ,$message ,$header ) ;
header("Location: http://www.shorttermloans.ca/apply-online.html");
?>

Query failed You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2

try echoing the query and see what it is.

Thanks for your help i got it to work but i went another way with it here is the code

<?php

$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="email"; // Database name
$tbl_name="fanme"; // Table name

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form
$fname=$POST['fname'];
$lname=$POST['lname'];
$email=$_POST['email'];

$sql="INSERT INTO $tbl_name(fname, lname, email)VALUES('$fname', '$lname', '$email')";
$result=mysql_query($sql);

if($result)

$header = "From: $email\n"
. "Reply-To: $email\n";
$subject = "CashLoans.ca | Payday Loan Request";
$email_to = "dan@enviomedia.com";
$message = "loanamt: $loanamt\n"
. "fname: $fname\n"
. "lname: $lname\n"
. "email: $email\n"
. "province: $province\n"
. "postal: $postal\n";
mail($email_to, $subject ,$message ,$header ) ;
header("Location: http://www.shorttermloans.ca/apply-online.html");

mysql_close();

?>

but need to validate it im sure..

You've got a couple of problems here.

One is that your script is vulnerable to mail header injection. Hackers do this by supplying values to your form that have line breaks in the data...for example they might supply this as an email address:

somebody@email.com
cc: spam_victim1@domain.com
cc: spam_victim2@domain.com
cc: spam_victim3@domain.com
cc: spam_victim4@domain.com
cc: spam_victim5@domain.com
cc: spam_victim6@domain.com
etc...

Your code will just cram that value into your $header var and suddenly a dozen people are getting email from your site -- not just you.

And if $loanamt is something like "Come by viagra at http://viagra.com" then everyone is going to get that message -- including you -- and possibly me too.

You could spend a whole bunch of time putting in various validation checks to make sure the email address is legit. At the very least you should prevent folks from entering any data that has a line break in it. However, these hackers tend to be pretty inventive.

I find it's helpful to use something like PHPMailer or Pear::Mail to send mail. I'm not certain, but I believe they will probably screen input and generate headers with some checks in place.

OH...and the other problem is what to do if someone provides a name like O'leary which will break your query.