检查数据库中是否存在电子邮件地址，如果不提供警报则检查验证码是否正确，并且不要将数据保存在数据库中

i wrote a code for a form in which i added a two validation first one is through email and second one is through email. when user enter's the email address which already exist in a data base it will show an error. the problem which i faced is that when user enter's a new email address and wrong captcha code than it will show an error but at the same time it will save that into the data base also. Here's the complete code is given

<?php
include('../config/connection.php'); 

//DATABASE INSERT QUERY
if(isset($_POST['submit']))
{
        $finame = $_POST['finame'];
    $email = $_POST['email'];
    $user_message = $_POST['message'];
    $b="SELECT * from form WHERE email='".$_POST['email']."'";

                 $res = mysql_query($b);
            $tot = mysql_fetch_assoc($res);
            if(empty($tot) || empty($_SESSION['6_letters_code'] ) ||
      strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) == 0)
                {


                        $sel = "insert into ".form." set finam='".$_POST['finam']."',lnam='".$_POST['lnam']."',dob='".$_POST['dob']."',cntn='".$_POST['cntn']."',fanam='".$_POST['fanam']."',str='".$_POST['str']."',email='".$_POST['email']."',passw='".$_POST['passw']."'";
                mysql_query($sel);

                    }   



    //-------------------------------Captcha--------------------
    $your_email ='yourname@your-website.com';// <<=== update to your email address

session_start();
$errors = '';
$finame = '';
$email = '';
$user_message = '';

    ///------------Do Validations-------------


    if(!empty($tot))
    {
        $errors .= "
 Re-enter the captcha code...!!! ";   
        $msg .="Email adreess already exist";
    }
    if(IsInjected($email))
    {
        $errors .= "
 Bad email value!";
    }
    if(empty($_SESSION['6_letters_code'] ) ||
      strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0)
    {

    // strcmp()
        $errors .= "
 The captcha code does not match!";
    }

    if(empty($errors))
    {
        //send the email
        $to = $your_email;
        $subject="New form submission";
        $from = $your_email;
        $ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '';

        $body = "A user  $name submitted the contact form:
".
        "Name: $finame
".
        "Email: $email 
".
        "Message: 
 ".
        "$user_message
".
        "IP: $ip
";    

        $headers = "From: $from 
";
        $headers .= "Reply-To: $visitor_email 
";

        mail($to, $subject, $body,$headers);

        header('Location: ../admin/sign-in1.php');
    }
}

// Function to validate against any email injection attempts
function IsInjected($str)
{
  $injections = array('(
+)',
              '(+)',
              '(\t+)',
              '(%0A+)',
              '(%0D+)',
              '(%08+)',
              '(%09+)'
              );
  $inject = join('|', $injections);
  $inject = "/$inject/i";
  if(preg_match($inject,$str))
    {
    return true;
  }
  else
    {
    return false;
  }
}

?>


<html>
<head>
<link rel="stylesheet" type="text/css" media="all" href="jsDatePick_ltr.min.css" />
<script type="text/javascript" src="jsDatePick.min.1.3.js"></script>
<script type="text/javascript">
    window.onload = function(){
        new JsDatePick({
            useMode:2,
            target:"inputField",
            dateFormat:"%d-%M-%Y"
            });
    };
            </script>
<title>Form</title>
<link href="style/style.css" rel="stylesheet" type="text/css">
<link href='http://fonts.googleapis.com/css?family=Kaushan+Script' rel='stylesheet' type='text/css'>
<script language="JavaScript" src="scripts/gen_validatorv31.js" type="text/javascript"></script>
</head>

<body>
<div style="width:100%; height:170px; margin:auto;">
    <div class="abc">
    <h1 style="margin:5% 0 0 5%; width:10%; color:#FFF;">Form</h1>
     <!--</form>-->
    <?php 
                    $sel = "select * from home";
                    $a=mysql_query($sel);  
                   $fetch = mysql_fetch_array($a);

                     ?>
            <div class="sample"> <?php echo $fetch['home4'];?></div>
                <div class="main" style="margin:4% 0 0 0;">
                <a href="../index.php" class="navi">Home</a>
                <a href="../index.php" class="navi">About us</a>
                <a href="../index.php" class="navi">Gallery</a>
                <a href="../index.php" class="navi">Contact us</a>
        </div>
    </div>

    </div>
<div style=" width:100%; margin:5% 0 0 0; height:auto;">   
    <div style="margin:auto; width:80%">
        <form method="post" class="w3-container" onSubmit="alert('Thank you. You are registered now input your login id and passwprd to make changes on index and another pages...')" >
            <div class="w3-group">
<input class="w3-input blue-l4" pattern="[A-Za-z]{3,}" title="only alphabets" value="<?php echo $_POST['finam'] ?>" type="text" name="finam"required>
                <label class="w3-label">First-Name</label>
            </div>
            <div class="w3-group">
<input class="w3-input blue-l4" pattern="[A-Za-z]{3,}" title="only alphabets" value="<?php echo $_POST['lnam'] ?>" type="text" name="lnam"required>
                <label class="w3-label">Last name</label>
            </div>
            <div class="w3-group">
            <input class="w3-input blue-l4" type="text" size="12" readonly id="inputField" value="<?php echo $_POST['dob'] ?>"  name="dob" placeholder="DD/MM/YY"required>

            </div>
            <div class="w3-group">
            <input class="w3-input blue-l4" type="text" pattern="[A-Za-z]{3,}" title="only alphabets" value="<?php echo $_POST['fanam'] ?>" name="fanam"required>
                <label class="w3-label">Father's name</label>
            </div>

           <div class="w3-group">
                  <?php
if(!empty($msg)){
echo "<p class='err'>".nl2br($msg)."</p>";
}
?>
                <input class="w3-input blue-l4"  value="<?php echo $_POST['email'] ?>" type="email" name="email"required>                                                                   
                <label class="w3-label">Email</label>
            </div>
            <div class="w3-group">
                <input class="w3-input blue-l4" type="password" name="passw" required>
                <label class="w3-label">Password</label>
            </div>

            <div class="w3-group">
                <input class="w3-input blue-l4" pattern="[0-9]+" value="<?php echo $_POST['cntn'] ?>"  title="only numeric value" type="text" name="cntn"required>
                <label class="w3-label">Contact no.</label>
           </div>
           <div class="clear"></div>

               <div class="w3-group">

             <select name="str"  class="w3-input blue-l4">
             <option>--Select Stream--</option>
                <?php 
                            $sel = "select * from stream";
          $a=mysql_query($sel);

                           while($fetch = mysql_fetch_array($a))
                           {
                             ?>    
                <option><?php echo $fetch['str']?></option>
                <?php  
                           }
                        ?>

             </select>
                   </div>

            <div class="w3-group">
      <?php
if(!empty($errors)){
echo "<p class='err'>".nl2br($errors)."</p>";
}
?>

               <img src="captcha_code_file.php?rand=<?php echo rand(); ?>" id='captchaimg' ><br>
        <label for='message'>Enter the code above here :</label><br>            

        <input class="w3-input blue-l4" id="6_letters_code" name="6_letters_code" type="text"><br>

        <small>Can't read the image? click <a href='javascript: refreshCaptcha();'>here</a> to refresh</small>   </div>

            <button class="w3-btn blue-d1" name="submit" value="submit">Submit</button>

        </form>
    </div>
</div>
<script language='JavaScript' type='text/javascript'>
function refreshCaptcha()
{
    var img = document.images['captchaimg'];
    img.src = img.src.substring(0,img.src.lastIndexOf("?"))+"?rand="+Math.random()*1000;
}
</script>
<div class="foot" style="margin-top:4px;">
    <div  style="margin:2% 0 2% 86%;">
    <a href="http://facebook.com"><img style="margin:0 0 12px 12px;" src="index.jpg" width="30" height="30"/></a>
    <a href="http://twiter.com"><img style="margin:0 0 12px 12px;" src="images1.png" width="30" height="30"/></a>
    <a href="htp://google+.com"><img src="googleplus.png" width="50" height="50"/></a>
    </div>
</div>
</div>
</body>
</html>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

doubao12345 2015-07-23 11:56

关注

Several comments here. First, and maybe the most important, you're using mysql_* functions, which are deprecated and is no longer maintained. You should seriously consider converting to MySQLi or PDO, which has prepared statements (that protects you against SQL-inection). mysql_* is bad practice.

Furthermore, you are mixing variable-names in your code. You're using both $_POST['finam'] and $_POST['finame'], which I assume are one and the same. Be careful with your names!

And you're inserting the password in plain text -- this is also a security issue! You should really hash your password, so that it's never stored in plain text (in case of a hacker accessing your database).

As for your question: You are inserting into the database with a series of or-operators in your if-statement. This means as long as one of them returns TRUE, it'll run the query and insert the email.

I'm not really sure how you do your CAPTCHA-validating, but I think this code will work more as intended.

<?php 
session_start(); 
include('../config/connection.php'); 

//DATABASE INSERT QUERY
if (isset($_POST['submit'])) {
    $finame         = $_POST['finam'];
    $lname          = $_POST['lnam'];
    $dob            = $_POST['dob'];
    $passw          = $_POST['passw'];
    $email          = $_POST['email'];
    $fanam          = $_POST['fanam'];
    $cntn           = $_POST['cntn'];
    $user_message   = $_POST['message'];
    $str            = $_POST['str'];
    $errors         = '';

    ///------------Do Validations-------------
    // Checking if the email exists in the database
    $res = mysql_query("SELECT * FROM form WHERE email=$email");

    // If the number of rows from the result is greater than 0, the email is already in our database
    if (mysql_num_rows($res) > 0) {
        $errors .= "
 Email exists!";
        $emailAvailable = false;
    } else {
        $emailAvailable = true;
    }

    if (!$emailAvailable)) {
        $errors .= "
 Re-enter the captcha code...!!! ";   
        $msg .= "Email adreess already exist";
    }
    if (IsInjected($email)) {
        $errors .= "
 Bad email value!";
        $badEmail = false;
    } else {
        $badEmail = true;
    }

    if (empty($_SESSION['6_letters_code'] ) || strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0) {
        // strcmp()
        $errors .= "
 The captcha code does not match!";
        $captcha = false;
    } else {
        $captcha = true;
    }

    ///------------If all is well, inserting the email-------------
    if ($emailAvailable && $captcha && $badEmail) {
        // $sel = "insert into ".form." set finam='".$_POST['finam']."',lnam='".$_POST['lnam']."',dob='".$_POST['dob']."',cntn='".$_POST['cntn']."',fanam='".$_POST['fanam']."',str='".$_POST['str']."',email='".$_POST['email']."',passw='".$_POST['passw']."'";
        $sel = "INSERT INTO form (finam, lnam, dob, cntn, fanam, str, email, passw) VALUES ($finame, $lname, $dob, $cntn, $fanam, $str, $email, $passw)";
        mysql_query($sel);
    }

    //-------------------------------Captcha--------------------
    $your_email ='yourname@your-website.com';// <<=== update to your email address

    if(empty($errors)) {
        //send the email
        $to         = $your_email;
        $subject    = "New form submission";
        $from       = $your_email;
        $ip         = $_SERVER['REMOTE_ADDR'];

        $body = "A user  $name submitted the contact form:
".
        "Name: $finame
".
        "Email: $email 
".
        "Message: 
 ".
        "$user_message
".
        "IP: $ip
";    

        $headers = "From: $from 
";
        $headers .= "Reply-To: $visitor_email 
";

        mail($to, $subject, $body,$headers);

        header('Location: ../admin/sign-in1.php');
    }
}

// Function to validate against any email injection attempts
function IsInjected($str) {
    $injections = array('(
+)',
              '(+)',
              '(\t+)',
              '(%0A+)',
              '(%0D+)',
              '(%08+)',
              '(%09+)'
              );
    $inject = join('|', $injections);
    $inject = "/$inject/i";
    if (preg_match($inject,$str)) {
        return true;
    } else {
        return false;
    }
}

?>

As you can see, I also updated your INSERT-query, it was kind of messy.

报告相同问题？

关注问题

检查表单中的多个div，如果div没有指定的类，则执行警报并阻止提交 javascript jquery php
2016-04-19 11:29

回答 1 已采纳 Use a loop: $('#collectImages').click(function(e) { e.preventDefault(); var valid = true; $('#img
python根据自定义条件，筛选数据存入数据库 python
2022-03-28 12:28

回答 1 已采纳按这个需求，看实际跑的脚本，可能合适的数据较少修改随机值范围小一些，相等机会大一些 from threading import Thread from time import sleep from
PHP中的警报如果不在内部工作 javascript php
2016-03-20 04:15

回答 5 已采纳 Try This echo '<script type="text/javascript">alert("Message´s 1st line Message´s 2nd lin
wordpress表单调用_如何在WordPress中创建安全的联系表单
2020-09-14 20:56

cumyupx7788305的博客 wordpress表单调用Do you want to create a secure ... 您要在WordPress中创建安全表单吗？ Forms allow users to submit information on your website. However, they can also be used by hackers to steal info...
AJAX请求保存到数据库但警报失败 ajax javascript jquery php
2015-08-19 20:19

回答 2 已采纳 As Luis suggests, try to add proper header to the php file which saves to the database and make th
警报在PHP代码中不起作用 php
2015-08-31 08:54

回答 1 已采纳 Using header("Location: ...") will cause PHP to respond with a 302 Found status, rather than a 200
带警报的删除按钮在php中不起作用 mysql php
2016-08-24 16:04

回答 2 已采纳 You're not echoing your variable here. vvv <td><a hre
20种最佳PHP电子邮件表格
2020-06-21 12:07

cunjie3951的博客 电子邮件表单具有许多形状和大小。当然，几乎在每个网站上都可以找到经典的“联系表”，但是有时您需要更强大的功能，或者也许首先应该使用更高级的功能？不同种类的网站需要不同的表单功能。他们中的许多人只...
我有一个表单，其中如果用户输入输入，它应检查负输入框或空输入框并抛出警报消息 javascript jquery php
2016-05-12 15:38

回答 1 已采纳 If HTML5 validation is supported, you do not need jQuery for validation. <input type=number mi
重定向到标题而不在php中打印js警报 javascript php
2013-07-03 06:56

回答 3 已采纳 If you redirect with the header() function, the browser will immediately redirect and no other dat
在PHP中调用自定义JS警报 javascript php
2016-03-11 14:50

回答 2 已采纳 Your html is loading top to bottom. Move the declaration of swal() to the header so it can be use
海外邮件发送指南（一）
2022-08-08 12:10

极光开发者的博客近年来，越来越多的中国企业开始走出国门，进入国际市场。在数字化齐头并进的时代，企业对客户...其中，电子邮件作为成熟的传统的沟通方式，在中国的发展日趋稳定，特别是移动互联网时代之后。一、在海外市场，邮件...
具有甜蜜警报的数据删除记录不起作用 html javascript php
2019-07-05 05:43

回答 1 已采纳 Passing the ID from the server-side will not work in this case. You have to fetch the ID per row o
智慧校园解决方案
2024-04-05 14:15

合肥自友科技的博客智慧校园解决方案-信息标准建设是学校智慧校园项目的重点之一，对推进项目建设，保证信息的交流与共享，有着重要的...信息标准在全校范围内为数据库设计提供类似数据字典的作用，为信息交换、资源共享提供基础性条件。
springcloud中文手册API
2018-10-12 23:28

浮生梦浮生的博客如果由于“非法密钥大小”而导致异常，并且您正在使用Sun的JDK，则需要安装Java加密扩展（JCE）无限强度管理策略文件。有关详细信息，请参阅以下链接： Java 6 JCE Java 7 JCE Java 8 JCE ...
没有解决我的问题, 去提问

悬赏问题

¥15 2020长安杯与连接网探
¥15 关于#matlab#的问题：在模糊控制器中选出线路信息，在simulink中根据线路信息生成速度时间目标曲线（初速度为20m/s，15秒后减为0的速度时间图像）我想问线路信息是什么
¥15 banner广告展示设置多少时间不怎么会消耗用户价值
¥16 mybatis的代理对象无法通过@Autowired装填
¥15 可见光定位matlab仿真
¥15 arduino 四自由度机械臂
¥15 wordpress 产品图片 GIF 没法显示
¥15 求三国群英传pl国战时间的修改方法
¥15 matlab代码代写，需写出详细代码，代价私
¥15 ROS系统搭建请教（跨境电商用途）

码龄粉丝数原力等级 --

检查数据库中是否存在电子邮件地址，如果不提供警报则检查验证码是否正确，并且不要将数据保存在数据库中

1条回答默认最新

码龄粉丝数原力等级 --

悬赏问题

检查数据库中是否存在电子邮件地址，如果不提供警报则检查验证码是否正确，并且不要将数据保存在数据库中

1条回答 默认 最新

悬赏问题

1条回答默认最新