I have an HTML form that I submitted with PHP but what I am trying to achieve is that the data entered in the form is automatically entered into the database when the form is submitted, and also that an email is sent with the form data .
In this case, I already structured everything, you fill out the form and all the data is sent correctly to the email, but it is not entered into the database. I want to know in which part of my code I am wrong or what I need to add.
Since this form has email
, confirmaemail
, contraseña
and , confirmacontraseña
I hope you can help me apply the respective validations so that this can work.
<?
$C_FIRST_NAME=$_POST['C_FIRST_NAME'];
$C_SECOND_NAME=$_POST['C_SECOND_NAME'];
$C_FIRST_LAST_NAME=$_POST['C_FIRST_LAST_NAME'];
$C_SECOND_LAST_NAME=$_POST['C_SECOND_LAST_NAME'];
$C_EMAIL=$_POST['C_EMAIL'];
$C_EMAIL_CONFIRMATION= $_POST['C_EMAIL_CONFIRMATION'];
$C_PASSWORD=$_POST['C_PASSWORD'];
$C_PASSWORD_CONFIRMATION=$_POST['C_PASSWORD_CONFIRMATION'];
$C_CELLPHONE=$_POST['C_CELLPHONE'];
$C_ADDRESS=$_POST['C_ADDRESS'];
$C_CITY=$_POST['C_CITY'];
$C_STATE=$_POST['C_STATE'];
$C_ZIP_CODE=$_POST['C_ZIP_CODE'];
$C_COUNTRY=$_POST['C_COUNTRY'];
$C_CREDIT_CARD_TYPE=$_POST['C_CREDIT_CARD_TYPE'];
$C_CARD_NUMBER=$_POST['C_CARD_NUMBER'];
$C_CARD_EXP_MONTH=$_POST['C_CARD_EXP_MONTH'];
$C_CARD_EXP_YEAR=$_POST['C_CARD_EXP_YEAR'];
$C_CARDHOLDER_NAME=$_POST['C_CARDHOLDER_NAME'];
$C_CARD_SECURITY_CODE=$_POST['C_CARD_SECURITY_CODE'];
$C_CARD_ZIP_CODE=$_POST['C_CARD_ZIP_CODE'];
$R1_FIRST_NAME=$_POST['R1_FIRST_NAME'];
$R1_SECOND_NAME=$_POST['R1_SECOND_NAME'];
$R1_FIRST_LAST_NAME=$_POST['R1_FIRST_LAST_NAME'];
$R1_SECOND_LAST_NAME=$_POST['R1_SECOND_LAST_NAME'];
$R1_EMAIL=$_POST['R1_EMAIL'];
$R1_EMAIL_CONFIRMATION=$_POST['R1_EMAIL_CONFIRMATION'];
$R1_CELLPHONE=$_POST['R1_CELLPHONE'];
$R1_ADDRESS=$_POST['R1_ADDRESS'];
$R1_CITY=$_POST['R1_CITY'];
$R1_STATE=$_POST['R1_STATE'];
$R1_ZIP_CODE=$_POST['R1_ZIP_CODE'];
$R1_COUNTRY=$_POST['R1_COUNTRY'];
$R1_BANKING_CTR=$_POST['R1_BANKING_CTR'];
$R1_DELIVERY_METHOD=$_POST['R1_DELIVERY_METHOD'];
$R1_BNK_ACCT_NBR=$_POST['R1_BNK_ACCT_NBR'];
$R1_BNK_ACCT_NBR_CONFIRMATION=$_POST['R1_BNK_ACCT_NBR_CONFIRMATION'];
$R1_BANK_CITY=$_POST['R1_BANK_CITY'];
$R1_BANK_STATE=$_POST['R1_BANK_STATE'];
require("connect_db.php");
mysql_query("INSERT INTO usuarios (C_FIRST_NAME,C_SECOND_NAME,C_FIRST_LAST_NAME,C_SECOND_LAST_NAME,C_EMAIL,C_PASSWORD,C_CELLPHONE,C_ADDRESS,C_CITY,C_STATE,C_ZIP_CODE,
C_COUNTRY,C_CREDIT_CARD_TYPE,C_CARD_NUMBER,C_CARD_EXP_MONTH,C_CARD_EXP_YEAR,C_CA RDHOLDER_NAME,C_CARD_SECURITY_CODE,C_CARD_ZIP_CODE,R1_FIRST_NAME,R1_SECOND_NAME,
R1_FIRST_LAST_NAME,R1_SECOND_LAST_NAME,R1_EMAIL,R1_CELLPHONE,R1_ADDRESS,R1_CITY,R1_STATE,R1_ZIP_CODE,R1_COUNTRY,R1_BANKING_CTR,R1_DELIVERY_METHOD,R1_BNK_ACCT_NBR,
R1_BANK_CITY,R1_BANK_STATE) VALUES ('.$C_FIRST_NAME.', '.$C_SECOND_NAME.'
, '.$C_FIRST_LAST_NAME.', '.$C_SECOND_LAST_NAME.', '.$C_EMAIL.'
, '.$C_PASSWORD.', '.$C_CELLPHONE.', '.$C_ADDRESS.', '.$C_CITY.'
, '.$C_STATE.', '.$C_ZIP_CODE.', '.$C_COUNTRY.'
, '.$C_CREDIT_CARD_TYPE.', '.$C_CARD_NUMBER.', '.$C_CARD_EXP_MONTH.
, '.$C_CARD_EXP_YEAR.', '.$C_CARDHOLDER_NAME.', '.$C_CARD_SECURITY_CODE.'
, '.$C_CARD_ZIP_CODE.', '.$R1_FIRST_NAME.', '.$R1_SECOND_NAME.'
, '.$R1_FIRST_LAST_NAME.', '.$R1_SECOND_LAST_NAME.', '.$R1_EMAIL.'
, '.$R1_CELLPHONE.', '.$R1_ADDRESS.'
, '.$R1_CITY.', '.$R1_STATE.', '.$R1_ZIP_CODE.'
, '.$R1_COUNTRY.', '.$R1_BANKING_CTR.', '.$R1_DELIVERY_METHOD.'
, '.$R1_BNK_ACCT_NBR.', '.$R1_BANK_CITY.'
, '.$R1_BANK_STATE.')");
?>
<?php
if ($_POST['submit'] != "")
{
// reciever
$to = '[email protected]';
// subject
$subject = 'NEW ENROLLMENT';
// message
$message = '
<html>
<head>
<title>'.$subject.'</title>
</head>
<body>
<b>NEW CUSTOMER REGISTRATION FORM</b><br>
<br>
<strong>CUSTOMER INFORMATION</strong><br>
FIRST NAME : <b>'.$_POST["C_FIRST_NAME"].'</b><br>
SECOND NAME : <b>'.$_POST["C_SECOND_NAME"].'</b><br>
FIRST LAST NAME : <b>'.$_POST["C_FIRST_LAST_NAME"].'</b><br>
SECOND LAST NAME : <b>'.$_POST["C_SECOND_LAST_NAME"].'</b><br>
EMAIL : <b>'.$_POST["C_EMAIL"].'</b><br>
EMAIL CONFIRMATION : <b>'.$_POST["C_EMAIL_CONFIRMATION"].'</b><br>
PASSWORD : <b>'.$_POST["C_PASSWORD"].'</b><br>
PASSWORD CONFIRMATION : <b>'.$_POST["C_PASSWORD_CONFIRMATION"].'</b><br>
CELLPHONE NUMBER : <b>'.$_POST["C_CELLPHONE"].'</b><br>
ADDRESS : <b>'.$_POST["C_ADDRESS"].'</b><br>
CITY : <b>'.$_POST["C_CITY"].'</b><br>
STATE : <b>'.$_POST["C_STATE"].'</b><br>
ZIP CODE : <b>'.$_POST["C_ZIP_CODE"].'</b><br>
COUNTRY OF RESIDENCE : <b>'.$_POST["C_COUNTRY"].'</b><br>
<br>
<b>CUSTOMER PAYMENT METHOD</b><br>
PAYMENT CARD TYPE : <b>'.$_POST["C_CREDIT_CARD_TYPE"].'</b><br>
PAYMENT CARD NUMBER : <b>'.$_POST["C_CARD_NUMBER"].'</b><br>
PAYMENT CARD EXP DATE : <b>'.$_POST["C_CARD_EXP_MONTH"].' / '.$_POST["C_CARD_EXP_YEAR"].'</b><br>
PAYMENT CARDHOLDER NAME : <b>'.$_POST["C_CARDHOLDER_NAME"].'</b><br>
PAYMENT CARD SECURITY CODE : <b>'.$_POST["C_CARD_SECURITY_CODE"].'</b><br>
PAYMENT CARD ZIP CODE : <b>'.$_POST["C_CARD_ZIP_CODE"].'</b><br>
<br>
<b>RECEIVER INFORMATION</b><br>
FIRST NAME : <b>'.$_POST["R1_FIRST_NAME"].'</b><br>
SECOND NAME : <b>'.$_POST["R1_SECOND_NAME"].'</b><br>
FIRST LAST NAME : <b>'.$_POST["R1_FIRST_LAST_NAME"].'</b><br>
SECOND LAST NAME : <b>'.$_POST["R1_SECOND_LAST_NAME"].'</b><br>
EMAIL : <b>'.$_POST["R1_EMAIL"].'</b><br>
EMAIL CONFIRMATION : <b>'.$_POST["R1_EMAIL_CONFIRMATION"].'</b><br>
CELLPHONE NUMBER : <b>'.$_POST["R1_CELLPHONE"].'</b><br>
ADDRESS : <b>'.$_POST["R1_ADDRESS"].'</b><br>
CITY : <b>'.$_POST["R1_CITY"].'</b><br>
STATE : <b>'.$_POST["R1_STATE"].'</b><br>
ZIP CODE : <b>'.$_POST["R1_ZIP_CODE"].'</b><br>
COUNTRY OF RESIDENCE : <b>'.$_POST["R1_COUNTRY"].'</b><br>
<br>
<b>RECEIVER BANK ACCOUNT INFORMATION</b><br>
BANKING INSTITUTION : <b>'.$_POST["R1_BANKING_CTR"].'</b><br>
DELIVERY METHOD : <b>'.$_POST["R1_DELIVERY_METHOD"].'</b><br>
BANK ACCOUNT NUMBER : <b>'.$_POST["R1_BNK_ACCT_NBR"].'</b><br>
ACCOUNT NUMBER CONFIRMATION : <b>'.$_POST["R1_BNK_ACCT_NBR_CONFIRMATION"].'</b><br>
BANK CITY OF LOCATION : <b>'.$_POST["R1_BANK_CITY"].'</b><br>
BANK STATE OF LOCATION : <b>'.$_POST["R1_BANK_STATE"].'</b><br>
</body>
</html>
';
// To send HTML mail, the Content-type header must be set
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
// Additional headers
$headers .= 'To: '.$to. " \r\n";
$headers .= 'From: REMESAS ENVIA <[email protected]>' . "\r\n";
// Mail it
mail($to, $subject, $message, $headers);
}
?>
<script type="text/javascript">
var pagina = 'ending_page.php';
var segundos = 0;
function redireccion() {
document.location.href=pagina;
}
setTimeout("redireccion()",segundos);
</script>
In the database all the fields allow NULL Except the ID that is an autoincrementing but I don't know if it is created only every time the data of a new user is entered or it has to be created for this to work. I hope you can help me solve this problem, thank you.
I don't know what part of your code causes the data insertion to fail (we may find out as I write the answer, which I think will be long)I found the error and I will put the solution at the end, but I will point out some parts of your code that you should change ASAP. It's essential that you make some of these changes before you even proceed further with the project , because some of them are really serious security issues.The list is in no particular order.
Stop using features
mysql_*
, usemysqli_*
orPDO
You are using functions
mysql_*
that were deprecated/deprecated in PHP 5.5 and completely removed since PHP version 7.0. Instead you should use PDO or MySQLi . It makes no sense to develop in a technology that is not supported and that the official PHP page itself recommends not using.Sanitize your input parameters
Never, ever, ever trust the text a user sends you . Always assume that the user is an evil person trying to destroy your database and website and treat his input as such. 99.9% of your users are going to be good people who want to visit your page, but it only takes 1 bad person to destroy years of hard work in just seconds.
This won't be as big of an issue if you were using parameterized queries, which brings me to my next point.
Don't use dynamic SQL, use prepared queries
This failure is because you use functions
mysql_*
that don't support prepared/parameterized queries. When you switch tomysqli_*
PDO, you can (and should) use prepared queries. That will prevent your code from being susceptible to SQL injection attacks, and yes, your code is susceptible to SQL injection attacks .And not only from a security point of view, but also from a usability point of view: the chances of human error and query failure are higher with dynamic SQL than with prepared queries.
Sanitize your output parameters
Just as important as sanitizing input parameters is sanitizing output parameters if you don't know their source. Right now you are writing user input to your web page without sanitizing it, this makes your code susceptible to XSS (Cross Site Scripting) attacks where malicious users could insert their own JavaScript code to run on your page! as if it were your own code!
Make better use of redirects
This isn't directly related to security, it's more of a usability recommendation: don't do redirects with JavaScript when you could do them from PHP or HTML (using the
meta
) tags.As you have the code, perform your operations and generate a JavaSCript to redirect to a second page, this is bad because: a) the user could have JavaScript disabled and then they will only see a blank page; and b) you are generating unnecessary traffic for the user who has to receive a page that all it does is redirect when you could get a similar result using
header
PHP without the need for data to be sent to the client and you receiving a new page request.How to fix the problem with the insert?
The problem is how you generate the SQL query dynamically (something you shouldn't do as explained above):
If you look at
'.$C_CARD_EXP_MONTH.
you will see that you are missing some closing quotes that make the query syntactically wrong and it is not executed.But there is more, even after fixing that problem, there are more problems: either you are missing double quotes in many places, or you have extra periods in those same places . And that will make your fields not have the length and content that you think they have (they will have a period at the beginning and at the end). In fact, if any of your fields is not a varchar/text but a number, the insert will directly fail.
Let's directly see an example with the expiration year of the credit card ([insert icon with a panicked face when seeing that the form deals with sensitive data and has serious security problems]):
When performing the substitution it will remain as
, '.2018.',
. If the field in your database is a number or a year, it will fail because the value is wrong.see if the connection file is making the connection... Try searching something in the database or looking at the mysql database connections using the
MySqlWorkbench
.If you look at MySqlWorkbench you can also see if the INSERT command is correct.
MySqlWorkbench->Management->Client Connections
.I think your Insert command is wrong, echo it to fix it. Another way is to try to make your Insert with few fields at the beginning and add after doing the first few inserts.
Cheers,