retry, this time with code [was: [PHP-DB] [newbie] Form to email *and* insert row to MySQL]

[Ben Galin <news@xxxxxxx>]

My last email shows on the archive but it also bounced back to me so I 
am reposting it.  Sorry of this is a double-post.

Also, I am adding this time the source code down below which I should 
have probably done last time around.

Any help is much appreciated, Ben.

<repost>

Hello guys,

I have an HTML form with the action attribute set to the famous
FormMail.pl and it works beautifully.  However, I also want to insert
the data into a MySQL database.

Initially, I thought that I would let FormMail validate the data, send
the email, and then redirect to a PHP script that would use the $_POST
array to INSERT it into my db [see source below].  Of course, it didn't 
work.  AFAICT, both
the FormMail script and the PHP script need to be called from the form's
action attribute.

1 - Is there a way to call them both?

 From lurking around and reading tutorials, I understand that it is
possible to send emails with PHP and that I don't need to use FormMail
at all.  However, I have been told that FormMail is a relatively "safe
script" that won't let hackers exploit either the server or myself.  I
am not quite sure what such exploits might be, but I trust that the
hackers are...

2 - If I am to drop FormMail, what PHP script should I use to protect
my, and the server's, security?

Which brings us to the next point: the PHP script that I currently use
is very straightforward ([see below]) and the subuser has
only INSERT privileges.

3 - Am I putting anything (db, server) in a danger with this script?

Cheers,
  Ben

</repost>

<source>
  [HTML Form]
  <form method="post" action="http://site.com/cgi-bin/FormMail.pl"; />
  <input type="hidden" name="redirect" 
value="http://site.com/script.php"; />
  <input type="hidden" name="required" value="realname" />
  <p>Name: <input type="text" name="realname" size="35" /></p>
  [...]

  [script.php]
  $name = $_POST['realname'];
  mysql_connect("localhost", "subuser", "password")or die("ERROR: 
".mysql_error());
  mysql_select_db("my_db")or die("ERROR: ".mysql_error());
  mysql_query("INSERT INTO `my_table` (`id`, `name`) VALUES 
('','$realname')");
  header('Location: http://site.com/thankyou.html');
</source>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php