Hi,
Being thrust into cleaning after another has me timid. Could some
kind soul look over the following solution for form validation and DB
query? Any suggestions on security and streamlining is humbly requested.
CK
<?php
$firstname =$_POST['firstname'];
$lastname = $_POST['lastname']);
$email = $_POST['email']);
$address = $_POST['address']);
$city = $_POST['city']);
$state = $_POST['state']);
$zip = $_POST['zip']);
$comments = $_POST['comments']);
$newsletter = $_POST['signup']);
$contact = $_POST['contact']);
$dt = "'".date('Y-m-d H:i:s');
$message = "First Name: ".$firstname."\n";
$message .= "Last Name: ".$lastname."\n";
$message .= "Email: ".$email."\n";
$message .= "Address: ".$address."\n";
$message .= "City: ".$city."\n";
$message .= "State: ".$state."\n";
$message .= "Zip: ".$zip."\n";
$message .= "Comments: ".$comments."\n";
$message .= "Newsletter: ".$newsletter."\n";
$message .= "Contact: ".$contact."\n";
function validate_form($email,$firstname,$lastname)
{
if(strlen($firstname)>0){
$firstname=stripslashes($firstname);
}else{//If no name was entered.
$firstname=NULL;
echo '<p><em>You forgot to enter your first name.</em></p>';
}
if(strlen($lastname)>0){
$lastname=stripslashes($fm_lastname);
}else{//If no name was entered.
$lastname=NULL;
echo '<p><em>You forgot to enter your last name.</em></p>';
}
// Create the syntax of email with validation regular expression
$regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]
+)*(\.[a-z]{2,4})$";
// Presume that the email is invalid
$valid = false;
// Validate the syntax
if (eregi($regexp, $email))
{
list($username,$domaintld) = split("@",$email);
// Validate the domain
if (getmxrr($domaintld,$mxrecords))
$valid = true;
}
// attempts a socket connection to mail server
if(@fsockopen($domaintld,25,$errno,$errstr,15)) {
$valid = true;
} else {
$valid = false;
echo '<p><em>Please check your email and try again.</em></p>';
}
return $valid;
}
if (validate_form($email,$firstname,$lastname))
@ $db = mysql_connect('mysql_host', 'mysql_user', 'mysql_password);
if (mysql_errno()) {
echo '<p>error connecting to database</p>';
exit;
}
if (!mysql_select_db("mysql_user")) {
echo "<p>There is a system error - please try later</p>";
exit;
}
$query = "insert into users values (NULL, ".$firstname.", ".
$lastname.", ".$email.", ".$address.", ".$city.", ".$state.", ".
$zip.", ".$comments.", ".$newsletter.", ".$contact.", ".$dt.")";
mysql_real_escape_string($firstname, $query),
mysql_real_escape_string($lastname, $query),
mysql_real_escape_string($email, $query),
mysql_real_escape_string($address, $query),
mysql_real_escape_string($city, $query),
mysql_real_escape_string($state, $query),
mysql_real_escape_string($zip, $query),
mysql_real_escape_string($comments, $query),
mysql_real_escape_string($newsletter, $query),
mysql_real_escape_string($contact, $query),
mysql_real_escape_string($dt, $query),
//echo "<p>".$query."</p>";
$result = mysql_query($query, $db);
if (!$result) {
echo "<p>".mysql_error()."</p>";
exit;
} else {
$to = "[EMAIL PROTECTED]";
$subject = "CTS Contact";
mail($to, $subject, $message);
}
}
}
?>
