PHP refferal

@Hooded_VillianAug 22.2009

I have setup a little refferal box on my home.php Nothing exciting, and it’s still a work in progress. For now, the main thing for me is that it works. WooHoo…

Question: Is it possible to set it up that the script works with in the home.php and spits out the echo “Thank you for the refferal.” ; within the particular content box?

[code=php]<?php

$your_name = $_POST[‘your_name’] ; $friend_email = $_POST[‘friend_email’] ;

echo “Thank you for the refferal.” ;

$email_subject = “Your friend $your_name thought you might like our website.” ;

$email_msg = “msg blah blah.” ;

mail($friend_email, $email_subject, $email_msg, ‘From: mysite’) ;

?>[/code]

[code=html] <!– refer us –> <div class=”leftNavTop”>    refer us</div> <div class=”leftNavCont”> <p>Tell your friends about us:</p> <form action=”php/refferal.php” method=”post” name=”refer_us”> <label>your name:</label><input name=”your_name” type=”text” size=”20″ maxlength=”50″ /> <label>friends email:</label><input name=”friend_email” type=”text” size=”20″ maxlength=”50″ /><input name=”submit” type=”submit” /></form> </div> <div class=”leftNavBott”></div>

[/code]

I think it has something to do with the form action???

to post a comment

PHP

17 Comments(s) _↴

@JunkMaleAug 22.2009 — #UNCLEAN !!! UNCLEAN !!!

Security wise, you should check that the form submit button is present in the submitted form and to at the very minimum use strip_tags() function to clean your POST inputs.

You will find various threads on the subject of sanitizing your form inputs. You should read up about it and implment measures to stop your site becoming compromised from injection or scripts designed to break your form,etc and give the hacker access to your server.

@hastxAug 22.2009 — #An easy way for you to do it would be to put your form on a seperate page and load it in an iframe on home.php

[code=html]
 <iframe src ="refer_form.php" width="200" height="300">
 <p>Your browser does not support iframes.</p>
 </iframe>
 [/code]

@Hooded_VillianauthorAug 22.2009 — #An easy way for you to do it would be to put your form on a seperate page and load it in an iframe on home.php

[code=html]
 <iframe src ="refer_form.php" width="200" height="300">
 <p>Your browser does not support iframes.</p>
 </iframe>
 [/code]

by default links and form submissions will affect the same frame and give the effect I think you are looking for.

Another flashier method would be to use javascript to submit the form and then load a thank you message into the content box ...then you you could implement some fades and a "working" message to give a more professional appearance.[/QUOTE]

hastx - iFrame would be the simplest... Will give that a bash first. Thanks for the tip.

JunkMale - this is just a ROUGH draft. I will be looking into security after its working the way i want it to. (am a PHP noob, so getting there.)

@Hooded_VillianauthorAug 23.2009 — #An easy way for you to do it would be to put your form on a seperate page and load it in an iframe on home.php

[code=html]
 <iframe src ="refer_form.php" width="200" height="300">
 <p>Your browser does not support iframes.</p>
 </iframe>
 [/code]

by default links and form submissions will affect the same frame and give the effect I think you are looking for.

Another flashier method would be to use javascript to submit the form and then load a thank you message into the content box ...then you you could implement some fades and a "working" message to give a more professional appearance.[/QUOTE]

Or... What about putting the entire content box and everything in its own file? Then using the include(); function?

The iFrame idea doesnt work for me, especially when cross browsing. Isnt there anyway to... do it something like this?

[code=php]<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"[/code]

@hastxAug 23.2009 — #You could always submit a form to the same page and test if the forms submit is set and load the content box accordingly....if isset load thank you message, else load the form...

The difference in doing it that way is that when submitting the form, the entire page reloads and the visitor has to wait on all the pages components to reload / re-parse. but that may not be too big of an inconvenience if it is a simple page with no scrolling....using the iframe method the visitor never leaves their place or sees a change on the main page.

you could also do it using your include method, but the only reason for doing that would be if you were making a type of template to be included on many pages instead of the one, so that when a change is made to the form, it is reflected throughout the site.

@Hooded_VillianauthorAug 24.2009 — #You could always submit a form to the same page and test if the forms submit is set and load the content box accordingly....if isset load thank you message, else load the form...

The difference in doing it that way is that when submitting the form, the entire page reloads and the visitor has to wait on all the pages components to reload / re-parse. but that may not be too big of an inconvenience if it is a simple page with no scrolling....using the iframe method the visitor never leaves their place or sees a change on the main page.

you could also do it using your include method, but the only reason for doing that would be if you were making a type of template to be included on many pages instead of the one, so that when a change is made to the form, it is reflected throughout the site.[/QUOTE]

I like that "submit to the same page" idea. I will have to remember it and try it sooner or later. I managed to get my iFrame cross browser working, so guess I will be using that after all.

Next step will be adding some sort of security to the form as JunkMale suggested. Am currently on 24hour call for work, so will be getting to it as soon as possible. Thanks for all the input and I will be back soon. Keep watching this space...

PS: I read somewhere that when it comes to validatiing a form, it should be done using JavaScript as the process takes place on the client side, before submitting the form to the server. Or could I also use PHP for this process???

@Hooded_VillianauthorSep 07.2009 — #Anyone know how to make this form safer???

@AuchiSep 07.2009 — #You could and should validate it server side (php) since any1 can just turn off JS. I wouldnt call it mandatory for such a form but its something to keep in mind for more complete forms.

Start by doing JS (you should check Regular Expressions) and then make a simplified version (yet accurate) on php.

The point of this is that people generally dislike forms. Having the whole page reloaded (server side validation) and having to refill everything again because there was some error/bad data just annoys people or make them quit altogether. With js you can set up warnings as it is possible to do validation real-time (onclick,onchange,onblur.. - onchange being my favourite)

Here's a non-coded example

You have a name form,want it to allow letters only

- Make a js script function with something like this inside

[CODE]var fld = trim(valfield.value); 

 var name = /^[a-z_]([a-z_]|( [^ ]))+[a-z_]$/i; [COLOR="SeaGreen"]//allows letters and 1 space beetween[/COLOR][/CODE]

- Call the function using an onChange command on the field you need validated ( onchange="validateName(fieldname,fieldtodisplayeror,booleanforrequiredORnot);"

- code it so it displays an error somewhere (add field to function) when the check fails

As for safety you should follow the first sugestion and clean your inputs. In passwords php has a convenient way of helping out, which is using md5 encryption. You'll find plenty about it when you need

Here's a sample on cleaning inputs

[CODE]
 //Function to sanitize values received from the form. Prevents SQL injection
 function clean($str) {
 $str = @trim($str);
 if(get_magic_quotes_gpc()) {
 $str = stripslashes($str);
 }
 return mysql_real_escape_string($str);
 }
 
  //Sanitize the POST values
  $fname = clean($_POST['fname']);
  $lname = clean($_POST['lname']);
  $login = clean($_POST['username']);
  $password = clean($_POST['password']);
  $cpassword = clean($_POST['cpassword']);
 [/CODE]

Hope it helps

@Hooded_VillianauthorSep 15.2009 — #Oh Ooook... Now I'm getting the hang of it. I see you create a function that "cleans" the inputs, then you call that function for each $_POST. Just checked them up on w3schools.com aswell.

Thanks alot... You have given me much to play with & test.

I'll be back with an update

:-)

@Hooded_VillianauthorOct 13.2009 — #

[code=php]
 <div align="center">
 <?php
 
 if (isset($_POST['submit'])) {
 
 //form variables
 $your_name =  $_POST['your_name'] ;
 $friend_name = $_POST['friend_name'] ;
 $friend_email = $_POST['friend_email'] ;
 $output_form = false;
 
 //first check the form for all the fields
 //if YOUR NAME empty
 if(empty($your_name)) {
 echo '<span class="formErr">*Your Name - empty</span><br />';
 $output_form = true;
 }
 
 //if FRIEND NAME empty
 if(empty($friend_name)) {
 echo '<span class="formErr">*Friends Name - empty</span><br />';
 $output_form = true;
 }
 
 //if FRIEND EMAIL empty
 if(empty($friend_email)) {
 echo '<span class="formErr">*Friends Email - empty</span>';
 $output_form = true;
 }
 
 //if none empty
 if((!empty($your_name)) && (!empty($friend_name)) && (!empty($friend_email))){
 
  $to = $friend_email ;
  $subject = "$friend_name thought you might like us." ;
  $msg = "Hi there $friend_name. n" ;
 
  mail($to,$subject,$msg, 'From: xxxxxxxx');
  echo "<p>Thank you for your refferal. An email with your name on it, has been sent to <strong>$friend_name</strong>, asking them to pay us a visit.</p>";
  echo '<p><a href="xxxxxxx">Click here to refresh and send another refferal</a></p>';
 
 }
 }
 
 else{
 $output_form = true;
 }
 
 if($output_form) {
 
 ?>
 
 <p>Tell your friends about us:</p>
 <form action="<?php $_SERVER['PHP_SELF'] ?>" method="post" name="refer_us">
 <label>your full name:</label>
 <input name="your_name" type="text" size="20" maxlength="50" value="<?php echo "$your_name" ; ?>" /><br />
 <label>your friends name:</label>
 <input name="friend_name" type="text" size="20" maxlength="50" value="<?php echo "$friend_name" ; ?>" /><br />
 <label>your friends email:</label>
 <input name="friend_email" type="text" size="20" maxlength="50" value="<?php echo "$friend_email" ; ?>" /><br /><br />
 <input name="reset" type="reset" value="reset" />
 <input name="submit" type="submit" value="submit" />
 </form>
 
  <p>* all email addresses are kept confidential &amp; will not be used for anything else, other than this referral *</p>
 
 <?php 
 
 }
 
 ?>
 
 </div>
 [/code]

I know its a lotta of code... But my question is straight forward. I'm getting errors within the 3 form fields, with regards to undefined variables. But they are there, right at the top pf the script.

[code=php]<br /> <b>Notice</b>:  Undefined variable: friend_email in <b>X:domainsXxxxxxxxuserhtdocshome.php</b> on line <b>378</b><br />[/code]

@MindzaiOct 14.2009 — # I will be looking into security after its working the way i want it to.[/QUOTE]

This seems to be mantra of newbie PHP programmers. Seriously it is so much easier to build security in than try to tack it on afterwards. This advice always seems to be ignored by people wanting to just build something that superficially works however, hence all the crappy, insecure PHP programs out there.

@Hooded_VillianauthorOct 16.2009 — #This seems to be mantra of newbie PHP programmers. Seriously it is so much easier to build security in than try to tack it on afterwards. This advice always seems to be ignored by people wanting to just build something that superficially works however, hence all the crappy, insecure PHP programs out there.[/QUOTE]

I will definately remember that in the future and will be inserting trim() and what not into the script as soon as I can get the above problem resolved. It's doing my head in. LoL

:eek:

@MindzaiOct 16.2009 — #Your problem is that you are only defining the variables if the form has been submitted. There is actually no reason to be defining the variables at all though, it serves no purpose except to introduce a place for errors to occur. You can just do this in the form fields:

[code=php]
 <input name="your_name" type="text" size="20" maxlength="50" value="<?php if (isset($_POST['your_name'])) echo $_POST['your_name'] ?>" />
 [/code]

You should be careful when you are echoing user input directly however, as it can often lead to XSS vulnerabilities (security again :p). Shouldn't matter in this case since you are just populating form fields, but bear it in mind in case you decide to echo something outside of a form element.

@Hooded_VillianauthorOct 16.2009 — #Question: Why does that Sticky Form thing work here, by only inserting <input id="subject" name="subject" type="text" value="<?php echo $subject; ?>" size="30" /><br /> but it doesn't work on mine???

[code=php]<?php
 if (isset($_POST['submit'])) {
 $from = '[email protected]';
 $subject = $_POST['subject'];
 $text = $_POST['elvismail'];
 $output_form = false;
 
  if (empty($subject) && empty($text)) {
   // We know both $subject AND $text are blank 
   echo 'You forgot the email subject and body text.<br />';
   $output_form = true;
  }
 
  if (empty($subject) && (!empty($text))) {
   echo 'You forgot the email subject.<br />';
   $output_form = true;
  }
 
  if ((!empty($subject)) && empty($text)) {
   echo 'You forgot the email body text.<br />';
   $output_form = true;
  }
 }
 else {
 $output_form = true;
 }
 
 if ((!empty($subject)) && (!empty($text))) {
 $dbc = mysqli_connect('data.makemeelvis.com', 'elmer', 'theking', 'elvis_store')
 or die('Error connecting to MySQL server.');
 
  $query = "SELECT * FROM email_list";
  $result = mysqli_query($dbc, $query)
   or die('Error querying database.');
 
  while ($row = mysqli_fetch_array($result)){
   $to = $row['email'];
   $first_name = $row['first_name'];
   $last_name = $row['last_name'];
   $msg = "Dear $first_name $last_name,n$text";
   mail($to, $subject, $msg, 'From:' . $from);
   echo 'Email sent to: ' . $to . '<br />';
  } 
 
  mysqli_close($dbc);
 }
 
 if ($output_form) {
 ?>
 
 <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
 <label for="subject">Subject of email:</label><br />
 <input id="subject" name="subject" type="text" value="<?php echo $subject; ?>" size="30" /><br />
 <label for="elvismail">Body of email:</label><br />
 <textarea id="elvismail" name="elvismail" rows="8" cols="40"><?php echo $text; ?></textarea><br />
 <input type="submit" name="submit" value="Submit" />
 </form>
 
 <?php
 }
 ?>[/code]

@Hooded_VillianauthorOct 16.2009 — #Is this right???

[code=php]//form variables
 $your_name = mysqli_real_escape_string( trim($_POST['your_name'])) ;
 $friend_name = mysqli_real_escape_string( trim($_POST['friend_name'])) ;
 $friend_email = mysqli_real_escape_string( trim($_POST['friend_email'])) ;[/code]

Update:

Just checked my study manual and this is another one or two chapters away, but decided to try it anyways. It only works when I use trim() with the mysqli_real_escape_string() It seems that is purely for sql database injections. For this referral for I am not using MySQL... So I assume I don't need it.

@Hooded_VillianauthorOct 21.2009 — #Hello??? echo echo echo... Anyone there?

@Hooded_VillianauthorOct 25.2009 — #Hello??? echo echo echo... Anyone there?[/QUOTE]

Is there no one to help out with my last three or four posts? I'm still kind of stuck on this referral form.

?

Also in #PHP _↴

How to detect address via Google Map sensor=true Please Help! 3 Problems with Form Controlling partial views in MVC

Success!

Help @Hooded_Villian spread the word by sharing this article on Twitter...

Tweet This

PHP refferal

17 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

PHP refferal

17 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

17 Comments(s) _↴

Also in #PHP _↴