3 Minutes to a Contact Form on your Website

Developer Support »

Inserting form data into a mySQL database, blocking spam (See more user questions)

Hi

Short answer, yes. If anything is non-valid, the script exits and issues
errors. The email will not be sent and your query won't be run.

You are reading too much and getting paranoid!! There's a lot of (often
clueless) scaremongers out there! I told you before, pay attention now,
there's nothing in the script that can be compromised by anything submitted
to it!

Best wishes.

Charles Sweeney (in the UK too, and yep, about bedtime!)
https://formtoemail.com
The world's easiest feedback script!

----- Original Message -----
Sent: Monday, March 01, 2010 10:49 PM
Subject: Re: FormToEmail-Pro script

Hi Charles,

Sorry to pester you again! I am still trying to get to the bottom of
validating and sanitizing before putting my data into a database, and I was
wondering - your script does alot of validation (eg, checks that email
addresses are valid, etc) and I wondered: does your script stop dead when a
data field has non-valid info in it? I mean, if I have the sql query where
you advised me to have it (after the email is sent), then am I right in
thinking that if your validations find non-valid data, then it won't allow
my query to run, nor the email to be sent?

Thanks in advance.
, UK (nearly bedtime!)

On 25 Feb 2010, at 21:59, FormToEmail.com wrote:

> Forgot to say. If you use $linkid, you should also close the connection
> to the database with:
>
> mysql_close($linkid);
>
> Put that line after your database code is finished.
>
> Now you can see the main reason why I don't support databases!!
>
> Charles Sweeney
> https://formtoemail.com
> The world's easiest feedback script!
>
> ----- Original Message -----
> Sent: Thursday, February 25, 2010 9:19 PM
> Subject: Re: FormToEmail-Pro script
>
>
> Hi Charles,
>
> Sorry. The missing '$' in the variable was my mistake in the email, but it
> was right in the script.
>
> I'm reading up on this "sanitizing" thing. Looks quite complicated for
> this novice!
>
> One thing I forgot to ask, if you don't mind...
>
> The line which you included in your first email (repeated here)...
>> mysql_query("INSERT INTO contact (name,email,comments) VALUES
>> ('$_REQUEST['name']','$_REQUEST['email']','$_REQUEST['comments']')",$linkid);
>
> ..well, what does "$linkid" mean please? (right at the end)
>
> Cheers
>
>
>
>
> On 25 Feb 2010, at 20:51, FormToEmail.com wrote:
>
>> Hi

>> You're right enough about the quotes. I'm so used to using the form
>> variables outwith SQL that I forgot to remove them in the example I gave.
>>
>> About this:
>>
>> WHERE username='$username' AND passphrase='slpassword'
>>
>> Shouldn't that be $slpassword?
>>
>> At this point in the script, where you have put your SQL code, the script
>> needs to know the values of $username and $slpassword. Otherwise it will
>> be including blanks in your SQL, like this:
>>
>> WHERE username='' AND passphrase=''
>>
>> $username on its own, means nothing to the script. You have to give it a
>> value. This gives it a value:
>>
>> $username = "pete";
>>
>> You can't hard-code this into the script, so you would need to get the
>> username and password passed to the script from your form, with inputs
>> like this:
>>
>> <input type="text" name="username">
>>
>> <input type="password" name="slpassword">
>>
>> ...then your SQL would look like this:
>>
>> WHERE username='$_REQUEST[username]' AND
>> passphrase='$_REQUEST[slpassword]'
>>
>> The values will then be present from the form.
>>
>> Yes, you should "sanitize" user input. Depends what you are doing with
>> it too. The script is written in such a way that it cannot be harmed or
>> cause any security problems by any inputs entered on a form. So you are
>> largely covered there.
>>
>> Best wishes.
>>
>> Charles Sweeney
>> https://formtoemail.com
>> The world's easiest feedback script!
>>
>> ----- Original Message -----
>> Sent: Thursday, February 25, 2010 8:11 PM
>> Subject: Re: FormToEmail-Pro script
>>
>>
>> Hi Charles.
>>
>> Thanks very much for your help with this, and I'm sorry to hassle you!
>>
>> I sorted out the error message. I had to drop the quote marks around the
>> field names inside the square brackets, so
>> '$_REQUEST['name']','$_REQUEST['email']' became
>> '$_REQUEST[name]','$_REQUEST[email]' and that made it work and I also
>> found a stupid mistake in what I called one of the columns of my
>> database, but the only other thing I can't seem to get to work is when my
>> query goes on to WHERE username='$username' AND passphrase='slpassword'
>> which, when I echo the code says WHERE username='$username' AND
>> passphrase=' ' (the password isn't passed on). I may have to get round
>> this by using another field in the 'AND' statement.
>>
>> Once again, thanks very much for your help and your patience. I'm sorry
>> but I'm a novice with all this. Someone mentioned that I would have to
>> "sanitize" the input and I haven't a clue where to start!
>>
>> All the best

>>
>>
>>
>>
>> On 25 Feb 2010, at 19:58, FormToEmail.com wrote:
>>
>>> Hi

>>> In response to your other emails also.
>>>
>>> The parse error probably means you have made an error when editing the
>>> script, like leaving out a quote or a bracket. If you attach your
>>> edited script, I should be able to find it for you.
>>>
>>> As far as sanitizing goes, the script doesn't do much of that. Email
>>> addresses are checked for new lines and extra headers that a spammer
>>> might try to submit, but everything else is submitted "as is". This is
>>> due to the script being used in any number of applications and there
>>> being no way that I could check inputs that would suit everyone. Also,
>>> any submitted HTML or JavaScript is displayed but not actioned.
>>>
>>> That said, there is the word block facility that will block anything you
>>> put in it, so you might put SQL commands in it, so for example you could
>>> block "INSERT INTO", if someone attempted to submit that from your form,
>>> it would get blocked. I should say, in the seven years I have been
>>> doing this, I don't recall any customer feedback reporting such a thing.
>>>
>>> This is also largely the reason why I do not support databases in a
>>> universal script, every situation is different. I feel such things
>>> should be custom coded. The script is a form-to-email script, with the
>>> emphasis being on email.
>>>
>>> Best wishes.
>>>
>>> Charles Sweeney
>>> https://formtoemail.com
>>> The world's easiest feedback script!
>>>
>>> ----- Original Message -----
>>> Sent: Thursday, February 25, 2010 5:15 PM
>>> Subject: Re: FormToEmail-Pro script
>>>
>>>
>>> Charles, will there be some "sanitizing" to do before anything can go
>>> into my database, or has your script already done that for me?
>>>
>>> Cheers
>>>
>>>
>>>
>>> On 25 Feb 2010, at 13:17, FormToEmail.com wrote:
>>>
>>>> Hi Pete.
>>>>
>>>> Glad the script is doing a job for you!
>>>>
>>>> There isn't a facility in the script to insert data into a database.
>>>> You would need to code it yourself to do so.
>>>>
>>>> I can give you a clue, though! All the submitted form values are in
>>>> the $_REQUEST array, so for example, the name would be here:
>>>>
>>>> $_REQUEST['name']
>>>>
>>>> ...the email would be here:
>>>>
>>>> $_REQUEST['email']
>>>>
>>>> ...the comments would be here:
>>>>
>>>> $_REQUEST['comments']
>>>>
>>>> Note that 'name', 'email' and 'comments' are the exact (case sensitive)
>>>> names of the fields on your form.
>>>>
>>>> So an example line of code to insert into a database, would be like
>>>> this:
>>>>
>>>> mysql_query("INSERT INTO contact (name,email,comments) VALUES
>>>> ('$_REQUEST['name']','$_REQUEST['email']','$_REQUEST['comments']')",$linkid);
>>>>
>>>> In the above code, "contact" is the name of the database table and
>>>> (name,email,comments) is the name of the fields in the table, which
>>>> don't have to be the same name as the form fields.
>>>>
>>>> I would recommend you put your code in the script after the email is
>>>> sent. Put it after this line:
>>>>
>>>> mail($my_email,$subject,$message,$headers);
>>>>
>>>> Hope this is of some help.
>>>>
>>>> Best wishes.
>>>>
>>>> Charles Sweeney
>>>> https://formtoemail.com
>>>> The world's easiest feedback script!
>>>>
>>>> ----- Original Message -----
>>>> Sent: Thursday, February 25, 2010 11:14 AM
>>>> Subject: FormToEmail script
>>>>
>>>>

>>>>> Comments: Hi. I have purchased the pro version of the script and
>>>>> everything seems to be working well. Great script!
>>>>> However, I need the data from my form to be entered into a mysql
>>>>> database (or to update info already there). I have tried to insert my
>>>>> code inside your script in various places, but cannot get it do what I
>>>>> want. The variables *are* passed, because I get emails telling me so,
>>>>> but what am I missing? What do I do to insert the data into a
>>>>> database?
>>>>> Thanks in advance