Php Contact Form Inserting into Mysql

Question

LAST EDIT : Everything works now will post below the working code , after clearing up like idealcastle said and fixed some syntax errors everything works as it should together with the javascript validation thank you everyone

HTML Code here :

<form name = "contact " id="contact_form" action="postcontact.php" method="post" onsubmit="return validateForm();">
                <div id ="boxc">
                    <h3>Porosia juaj ?</h3>
                    <input name="orders" type="checkbox" value="veshje">Veshje
                    <input name="orders" type="checkbox" value="mbathje">Mbathje
                    <input name="orders" type="checkbox" value="stoli">Stoli
                </div>
                <div class="row">
                    <label class="required" for="name" >Emri:</label><br />
                    <input id="name" name="name" type="text" value="" size="30" placeholder = "Emri"/><br />
                    <span id="name_validation" class="error"></span>
                </div>
                <label class="required"  >Country/State:</label><br />
                <div class = "row"id="statecmb"><select name = "state">
                     <option value="chose" selected>[choose yours]</option>
                    <option value="albania">Albania</option>
                    <option value="kosovo">Kosovo</option>
                    <option value="germany">Germany</option>
                    <option value="bangladesh">Bangladesh</option>

                </select>
                <span id="state_validation" class="error"></span></div>
                <div class="row">
                    <label class="required" for="email" >Email:</label><br />
                    <input id="email" name="email" type="text" value="" size="30"placeholder = "Email" /><br />
                    <span id="email_validation" class="error"></span>
                </div>
                <div class="row">
                    <label class="required" for="message" >Mesazhi:</label><br />
                    <textarea id="message" name="message" rows="7" cols="30" placeholder = "Mesazhi"></textarea><br />
                    <span id="message_validation" class="error"></span>
                </div>

                <input name="submit" id = "sub"type="submit" value="Submit" />
                <div class="rating">
                    <h3>Vlerso Sherbimin :</h3>
                    <input type="radio" name="rate" value="1">1
                    <input type="radio" name="rate"value="2">2
                    <input type="radio" name="rate" value="3">3
                    <input type="radio"name="rate" value="4">4
                    <input type="radio" name="rate" value="5">5
                </div>
            </form>

Javascript file :

function validateForm() {
    var valid = 1;
    var email = document.getElementById('email');
    var email_validation = document.getElementById("email_validation");
    var name = document.getElementById('name');
    var name_validation = document.getElementById("name_validation");
    var message_validation = document.getElementById("message_validation");
    var filter = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;

    if (name.value === "") {
        valid = 0;
        name_validation.innerHTML = "Ju lutem shenoni emrin tuaj";
        name_validation.style.display = "block";
        name_validation.parentNode.style.backgroundColor = "#FFDFDF";
    } else {
        name_validation.style.display = "none";
        name_validation.parentNode.style.backgroundColor = "transparent";
    }

    if (message.value === "") {
        valid = 0;
        message_validation.innerHTML = "Ju lutem plotesoni fushen e mesazhit";
        message_validation.style.display = "block";
        message_validation.parentNode.style.backgroundColor = "#FFDFDF";
    } else {
        message_validation.style.display = "none";
        message_validation.parentNode.style.backgroundColor = "transparent";
    }

    if (email.value === "") {
        valid = 0;
        email_validation.innerHTML = "Ju lutem shenoni email tuaj";
        email_validation.style.display = "block";
        email_validation.parentNode.style.backgroundColor = "#FFDFDF";
    } else {
        email_validation.style.display = "none";
        email_validation.parentNode.style.backgroundColor = "transparent";
    }

    if (!filter.test(email.value)) {
        valid = 0;
        email_validation.innerHTML = "Email juaj nuk eshte valid";
        email_validation.style.display = "block";
        email_validation.parentNode.style.backgroundColor = "#FFDFDF";
    } else {
        email_validation.style.display = "none";
        email_validation.parentNode.style.backgroundColor = "transparent";
    }
    if (!valid)
        alert("KENI ERROR : Fushat duhen te plotesohen ");

}

PHP FIle :

<?php
$host = 'localhost';
$user = 'root';
$pass = '';
$db = 'herdesigns';
$con = mysqli_connect($host, $user, $pass,$db) or die(mysqli_error());
/* mysqli_select_db($con , $db); */
?>

<?php

if (isset($_POST['submit']))
{
$name = mysqli_real_escape_string($con, $_POST['name']);
$email = mysqli_real_escape_string($con, $_POST['email']);
$message = mysqli_real_escape_string($con, $_POST['message']);
$rate = mysqli_real_escape_string($con, $_POST['rate']);
$orders = mysqli_real_escape_string($con, $_POST['orders']);
$state = mysqli_real_escape_string($con, $_POST['state']);
/*$con = mysqli_connect($host, $user, $pass,$db) or die(mysqli_error());*/
/*mysqli_select_db($con , $db);*/
$sql = "INSERT INTO contacts (
orders,
name,
state,
email,
message,
rate
)
VALUES (
'$orders',
'$name',
'$state',
'$email',
'$message',
'$rate'
)";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "Mesazhi juaj eshte postuar me sukses";
header('Location:contact.php');

mysqli_query($con, $sql);

mysqli_close($con);
}
?>

What's the code for `validateForm()`? It may be preventing the form from posting. Also, use prepared statements for your SQL to prevent SQL injection. — Mr. Llama, Jun 27 '14 at 22:12
**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Jun 27 '14 at 22:21
$sql = "INSERT INTO contacts SET name = 'test' "; (run a test first, and see if you can insert anything manually into mysql) — tmarois, Jun 29 '14 at 14:21
From what those undefined index warnings are, it looks like your POST variables are not filling in. They are blank, and that is causing mysql to reject the query. — tmarois, Jun 29 '14 at 14:24
Make sure when you submit everything has a value (all your POST inputs. for instance, name is undefined) — tmarois, Jun 29 '14 at 14:31
after adding the isset the undefined errors arent showing anymore — Lend Kelmendi, Jun 29 '14 at 17:07

score 0 · Accepted Answer · edited May 23 '17 at 12:20

EDIT: What field is NOW() going too?

I would remove that if there is no actual field to send that datetime. Or add a field for that. Try submitting Mysql without NOW() It would look like

$sql = "INSERT INTO contacts (
            name,
            email,
            message,
            rate,
            orders,
            state
        )
        VALUES (
            '$name',
            '$email',
            '$message',
            '$rate',
            '$orders', 
            '$state'
        )";

First thing I notice is the PHP code is being shown in the browser. If you are being sent to file:// that is not good, you should be using

http//localhost/

(if you are testing locally) or of course using the server url if live.

found here
Browser is showing PHP code instead of processing it

Second, you should sanitize your mysql data being entered. If anyone of those values submits content with a single/double quote, mysql query will fail.

Since you are using an old mysql function, here is the escape function that should work

 mysql_real_escape_string()

I would do this,

 $sql = "INSERT INTO contacts (
            name,
            email,
            message,
            rate,
            orders,
            state
        )
        VALUES (
            '".mysql_real_escape_string($name)."',
            '".mysql_real_escape_string($email)."',
            '".mysql_real_escape_string($message)."',
            '".mysql_real_escape_string($rate)."',
            '".mysql_real_escape_string($orders)."', 
            '".mysql_real_escape_string($state)."',
            NOW()
        )";

I am not sure if anyone of these are the cause, but they are red flags from what you have posted. You should always sanitize (escape) any inputs from crashing mysql queries.

Just tried it , when i click the submit button it just sends me to the postcontact.php on a blank page and yes i am doing this via "localhost/contact.php" — Lend Kelmendi, Jun 28 '14 at 09:25
The blank page is fine, that means php is processing. Anything send to mysql? add this to the top of that php page inside the — tmarois, Jun 28 '14 at 12:52
I edited the post, let me know if that resolved the mysql issue. If not see my comment above about errors. — tmarois, Jun 28 '14 at 13:18

score 0 · Answer 2 · edited May 23 '17 at 10:26

It could be an error code 500 on validform.php.

please install firefug on firefox, it will save you lots of time. type [F12] reload the page and the network tab will show you the code of error.

also, you need to get this page by the web server: http://localhost/dir/file instead c://shittyos_amp/dir/thing.php

Plus, You should use the PDO's API for conection and every request with DB as pdo->prepare will secure the request easily for you.

Don't worry it's easy! see PHP: Is mysql_real_escape_string sufficient for cleaning user input?

Don't say you don't need security: this input form could erase your database if an user type a sql command in it!

Anymore, If the file is client-side executed, it will never protect anythings as JS can be disabled by user.

note: I still consider myself as a noob (it's my first answer here!), never forget that web's moving everday, as security. back-end and and front-end are server-side it's an application point of view: front end= friendly-interface(code) back end=api(hard/or low level code)

PS: flash is ugly and obsolete, Adobe product's aren't free as freedom and their cloud sucks^^ (troll off)

Is it yours? http://www.her-design.com/

Like i said this is a university project , our professor gave us some psd files to slice them up after the slicing we should add some php that's why i said there is no need for security measueres — Lend Kelmendi, Jun 28 '14 at 09:20

Php Contact Form Inserting into Mysql

2 Answers2