stackoom
  简体   繁体   中英

PHP form that collects email and website address

 原文  2012-08-19 15:43:20       php/ security

Question

I have built the following form that collects both email addresses and website urls from people. In the database the email and website url are set to be unique so a person cannot enter the same email and website twice.

However being new to PHP I want to double check that the form does not contain any serious problems that could allow a person to do something malicious with the form and/or has validation issues that could be exploited. Also because I want to hide the form on postback BUT show it again for errors, I have ended up duplicating the form which isn't ideal but not a big deal in this circumstance as it's just a quick form. The main factor is making sure the validation is pretty strong and no holes exist in terms of server/sql attacks in the form. 

<?php

if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    // DATABASE CONNECTION HERE

    $email = mysql_real_escape_string($_POST['EMAIL']);
    $website = mysql_real_escape_string($_POST['WEBSITE']);

    if ( $email == '' || $website == '' || !filter_var($website, FILTER_VALIDATE_URL) || !filter_var($email, FILTER_VALIDATE_EMAIL) )
    {
        echo '<p style="color:red;">You must fill out all fields correctly and duplicate emails/websites are not permitted!</p>';

    ?>
        <form action="./" method="post">

            <label for="EMAIL">Email Address</label>
            <input type="email" value="" name="EMAIL" id="EMAIL" required>
            <label for="WEBSITE">Website URL</label>
            <input type="url" value="" name="WEBSITE" id="WEBSITE" required>
            <input type="submit" value="Join" name="join">

        </form>

    <?php

    }
    else
    {
        $query = "INSERT INTO list VALUES (NULL, '$email','$website')";

        $result = mysql_query($query);
        echo '<p>THANKS!</p>';
    }
}
else
{

?>

<form action="./" method="post">

    <label for="EMAIL">Email Address</label>
    <input type="email" value="" name="EMAIL" id="EMAIL" required>
    <label for="WEBSITE">Website URL</label>
    <input type="url" value="" name="WEBSITE" id="WEBSITE" required>
    <input type="submit" value="Subscribe" name="subscribe">

</form>

<?php } ?>

2 answers

solution1
 0  2012-08-19 15:52:31

You could validate the values using these validation filters . You can find some instructions for this here .

To prevent cross site scripting and similar attack vectors you should not insert the email or url into the database unless it has been validated.

solution2
 0  2012-08-19 16:04:51

I think it should work great as long as you are using the important functions such as real escape and validate url nd email. keep it up

Thnx

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to build a website with Php that collects articles? php contact form email address Website Email Form (PHP) Issues How to create a form with html and php that collects a date grabbing website from email address in php PHP Calculator form not sending results to email address change sender email address in php form to recipient PHP not sending contact form to email address PHP Form not sending to email address on same server PHP form submitting to the wrong email address
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM