-1

I have a the below code to capture URL variables and push them to an RDS database. When I open the below as a page using this url

https://example.com.au/post.php?UniqueID=1234&usename=test&useemail=test%40test.com&usephone=1800+000+000&refid=28383

It works perfectly. But when using formstack webhooks to push the data only the date field works.

The main difference is how they execute is the webhook does not open the page on the browser.

Is there something I am missing or is the an AWS RDS limitation.

 <?php
    $userid = $_GET['UniqueID'];
    $username = $_GET['usename'];
    $useremail = $_GET['useemail'];
    $userphone = $_GET['usephone'];
    $userref = $_GET['refid'];

    $link = mysqli_connect('xxxx.xxxx.ap-southeast-2.rds.amazonaws.com', 'xxxxx', 'xxxxxx','xxxxxxx');

    // Check connection
    if (mysqli_connect_errno())
      {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
      }

    // Check if server is alive
    if (mysqli_ping($link))
      {
      echo "Connection is ok!";
      }
    else
      {
      echo "Error: ". mysqli_error($link);
      }




    mysqli_query($link,"INSERT INTO landing_post (`useid`, `name`, `email`, `phone`, `refid`, `DateTime` ) VALUES ('$userid', '$username', '$useremail', '$userphone', '$userref', CURDATE())") 
    or die(mysqli_error($link));


      echo "Entered data successfully\n";


    mysqli_close($link);
    ?>
Andy Mac
  • 17
  • 1
  • 7
  • your code is ***so*** insecure.... please [**read this as a starter....**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Martin Feb 15 '18 at 19:24

1 Answers1

1

Our webhooks use POST instead of a GET request (From our docs: https://developers.formstack.com/docs/webhook-setup):

We send the form submission data through an HTTP POST request as either URL encoded form data or as a JSON string depending on the format you select in the webhook configuration options.

You can simply change the first few lines of code to $_REQUEST if you'd like it to support both get and post or you can change it to just $_POST if you'd rather it only handle POST only.

$userid    = $_REQUEST['UniqueID'];
$username  = $_REQUEST['usename'];
$useremail = $_REQUEST['useemail'];
$userphone = $_REQUEST['usephone'];
$userref   = $_REQUEST['refid'];

....

I might also offer up it being a good idea to wrap some logic around it that you not try to send to mysql unless the data you want is there:

if (!empty($_REQUEST['refid'])) {

you could even send a message on the else of that condition to send an email that something went wrong or log it to your favorite place!

Thanks,

Chris P. @ Formstack

Chris Pierce
  • 11
  • 2