Form Validation and DB Query

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
Being thrust into cleaning after another has me timid. Could some kind soul look over the following solution for form validation and DB query? Any suggestions on security and streamlining is humbly requested. 


CK


<?php

   $firstname =$_POST['firstname'];
    $lastname = $_POST['lastname']);
    $email = $_POST['email']);
    $address = $_POST['address']);
    $city = $_POST['city']);
    $state = $_POST['state']);
    $zip = $_POST['zip']);
    $comments = $_POST['comments']);
    $newsletter = $_POST['signup']);
    $contact = $_POST['contact']);
    $dt = "'".date('Y-m-d H:i:s');

    $message = "First Name: ".$firstname."\n";
    $message .= "Last Name: ".$lastname."\n";
    $message .= "Email: ".$email."\n";
    $message .= "Address: ".$address."\n";
    $message .= "City: ".$city."\n";
    $message .= "State: ".$state."\n";
    $message .= "Zip: ".$zip."\n";
    $message .= "Comments: ".$comments."\n";
    $message .= "Newsletter: ".$newsletter."\n";
    $message .= "Contact: ".$contact."\n";
	
	
	
	
function validate_form($email,$firstname,$lastname)
{
if(strlen($firstname)>0){
		$firstname=stripslashes($firstname);
	}else{//If no name was entered.
		$firstname=NULL;
		echo '<p><em>You forgot to enter your first name.</em></p>';
	}	
if(strlen($lastname)>0){
		$lastname=stripslashes($fm_lastname);
	}else{//If no name was entered.
		$lastname=NULL;
		echo '<p><em>You forgot to enter  your last name.</em></p>';
}


   // Create the syntax of email with validation regular expression
$regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-] +)*(\.[a-z]{2,4})$"; 

   // Presume that the email is invalid
   $valid = false;

   // Validate the syntax
   if (eregi($regexp, $email))
   {
      list($username,$domaintld) = split("@",$email);
      // Validate the domain
      if (getmxrr($domaintld,$mxrecords))
         $valid = true;
		 }
	// attempts a socket connection to mail server
  if(@fsockopen($domaintld,25,$errno,$errstr,15)) {
		$valid = true;
   } else {
      	$valid = false;
		echo '<p><em>Please check your email and try again.</em></p>';
  }
	 return $valid;
}

if (validate_form($email,$firstname,$lastname))
    @ $db = mysql_connect('mysql_host', 'mysql_user', 'mysql_password);
    if (mysql_errno()) {
      echo '<p>error connecting to database</p>';
      exit;
    }
    if (!mysql_select_db("mysql_user")) {
      echo "<p>There is a system error - please try later</p>";
      exit;
    }
$query = "insert into users values (NULL, ".$firstname.", ". $lastname.", ".$email.", ".$address.", ".$city.", ".$state.", ". $zip.", ".$comments.", ".$newsletter.", ".$contact.", ".$dt.")"; 
mysql_real_escape_string($firstname, $query),
mysql_real_escape_string($lastname, $query),
mysql_real_escape_string($email, $query),
mysql_real_escape_string($address, $query),
mysql_real_escape_string($city, $query),
mysql_real_escape_string($state, $query),
mysql_real_escape_string($zip, $query),
mysql_real_escape_string($comments, $query),
mysql_real_escape_string($newsletter, $query),
mysql_real_escape_string($contact, $query),
mysql_real_escape_string($dt, $query),
    //echo "<p>".$query."</p>";
    $result = mysql_query($query, $db);
    if (!$result) {
      echo "<p>".mysql_error()."</p>";
      exit;
    } else {
      $to = "some@xxxxxxxxxxxxx";
      $subject = "CTS Contact";
      mail($to, $subject, $message);
	  }
    }
	
	
	
}	
?>
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux