0

i have a long contact form in my car website that as you can see customer must field the form with her or his name, car model car tip and mobile number and etc as you see i have a condition for email and if it was not valid it gives an error massage and clean all the previous fields which customer has filled,

<?php
error_reporting(0);
include("config_mashin.php");
$namee = mysqli_real_escape_string($connect, $_POST['namee']);
$modell = mysqli_real_escape_string($connect, $_POST['modell']);
$tipp = mysqli_real_escape_string($connect, $_POST['tipp']);
$colorr = mysqli_real_escape_string($connect, $_POST['colorr']);
$exchangee = mysqli_real_escape_string($connect, $_POST['exchangee']);
$pricee = mysqli_real_escape_string($connect, $_POST['pricee']);
$loan = mysqli_real_escape_string($connect, $_POST['loan']);

$family = mysqli_real_escape_string($connect, $_POST['family']);
if (!empty($_POST['emaill'])) {
    $emaill = $_POST['emaill'];
    if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $emaill)){ 
        $error .= "The e-mail address you entered is not valid. <br/>";
        echo"$error";
    }
}
$mobilee = mysqli_real_escape_string($connect, $_POST['mobilee']);
$phonee = mysqli_real_escape_string($connect, $_POST['phonee']);
if(isset($_POST['submit']) && empty($error)){ 
//insert to database
    $insert =mysqli_query($connect,"INSERT INTO $db_table VALUES (i dont write this part to simplify code)");

}

?>

is there any way to keep other fields intact and customer just modify the email part. please help

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Malekian
  • 315
  • 8
  • 27
  • Yes, in your HTML code you test that each of the `$_POST` fields has a value or not, if it does you replace the value in the HTML – RiggsFolly Jun 06 '16 at 09:46
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jun 06 '16 at 09:47
  • thank you very much for your answering. and about sql injection part. i thought because i used mysqli_real_escape_string it is safe. what else i have to do? – Malekian Jun 06 '16 at 10:39

1 Answers1

0

You can do something like:

<form method='post' action=''>
    <input type='text' name='name' value='<?php echo isset($_POST['name']) ? $_POST['name']: ""; ?>' />
    <input type='submit' name='submit' value='Submit' />
</form>

and so on for each of you fields.

xjmdoo
  • 1,658
  • 9
  • 15
  • thank you very much for your answer. it worked in input boxes but in i can not handle it in dropdown lists and checkboxes – Malekian Jun 06 '16 at 10:35
  • ' > – Malekian Jun 06 '16 at 10:37
  • options: ``, checkboxes: ` name="checkbox_name" value="checkbox_value" />` – xjmdoo Jun 06 '16 at 11:05
  • thank you very much it worked i really appreciate you. can you help me about sql injection in this form, i thought because i used mysqli_real_escape_string it is safe. but now i think it is not enough what else i have to do? thank you again and sorry to ask a lot of questions. – Malekian Jun 06 '16 at 11:19
  • Then please accept it as your answer. SQL injection is another question not related to this one, so please open a new question but first search for similar already answered questions. There are tons of resources discussing the best approaches here on stackoverflow. – xjmdoo Jun 06 '16 at 11:36