Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Help: Creating Coupon login

login

  • Please log in to reply
18 replies to this topic

#13 Orjan

Orjan

    CC Mentor

  • Moderator
  • 2918 posts
  • Location:Karlstad, Sweden
  • Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
  • Learning:Java, C#

Posted 05 March 2012 - 01:13 AM

Your js should only verify its validity, not mark it used, that should be done in php after submission.
  • 0

I'm a System developer at XLENT Consultant Group mainly working with SugarCRM.
Please DO NOT send mail or PM to me with programming questions, post them in the appropriate forum instead, where I and others can answer you.


#14 wim DC

wim DC

    Roar

  • Expert Member
  • PipPipPipPipPipPipPipPip
  • 2681 posts
  • Programming Language:Java, JavaScript, PL/SQL
  • Learning:Python

Posted 05 March 2012 - 02:02 AM

mysql_query("DELETE FROM table_name WHERE coupon_number = $coupon_number");

Does mysql_query automatically parse that variable in the query?
Like I would rather use:
[LEFT][COLOR=#0000BB][FONT=monospace][I]mysql_query[/I][/FONT][/COLOR][COLOR=#007700][FONT=monospace][I]([/I][/FONT][/COLOR][COLOR=#DD0000][FONT=monospace][I]"DELETE FROM table_name WHERE coupon_number = " . $coupon_number[/I][/FONT][/COLOR][COLOR=#007700][FONT=monospace][I]); [/I][/FONT][/COLOR][/LEFT]

Anyway, let's assume it works. You should never put user input straight into a query without having escaped it.
The php manual has a neat example of how to handle the variable imo.

$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'"
,
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));

// Perform Query
$result = mysql_query($query);


  • 0

#15 Orjan

Orjan

    CC Mentor

  • Moderator
  • 2918 posts
  • Location:Karlstad, Sweden
  • Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
  • Learning:Java, C#

Posted 05 March 2012 - 02:49 AM

Does mysql_query automatically parse that variable in the query?

yes, it actually does as it uses double qoutes ("). If you had used single quotes (') it would have not. PHP parses double quoted strings for variables and replace them. But personally, I do prefer your version.

Another thing you should do is circimstance the value with single quote characters in the mysql query like variable = 'value'

Another version of doing what you show with sprintf is to use mysqli and prepare queries. That is the most recent way of doing it.
  • 0

I'm a System developer at XLENT Consultant Group mainly working with SugarCRM.
Please DO NOT send mail or PM to me with programming questions, post them in the appropriate forum instead, where I and others can answer you.


#16 Jmancuso

Jmancuso

    CC Regular

  • Member
  • PipPipPip
  • 45 posts

Posted 05 March 2012 - 06:50 PM

im not sure what your verifying, but i wouldnt do any kind of verification with javascript if your inserting things into databases since anybody with google chrome can change your source code around.
  • 0

#17 Orjan

Orjan

    CC Mentor

  • Moderator
  • 2918 posts
  • Location:Karlstad, Sweden
  • Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
  • Learning:Java, C#

Posted 05 March 2012 - 10:35 PM

im not sure what your verifying, but i wouldnt do any kind of verification with javascript if your inserting things into databases since anybody with google chrome can change your source code around.

Of course you can do a js validation, never wrong to make sure before submission that the data is ok, but, you can never trust the entered data in any way any time, so an php validation is always needed after submission, for example if someone uses any script to pretend to be a browser, or if someone has js turned off. Chrome is't the big bad guy, at least not in this case.
  • 0

I'm a System developer at XLENT Consultant Group mainly working with SugarCRM.
Please DO NOT send mail or PM to me with programming questions, post them in the appropriate forum instead, where I and others can answer you.


#18 wheay

wheay

    CC Regular

  • Member
  • PipPipPip
  • 33 posts

Posted 05 March 2012 - 11:48 PM

Hey, i tried a code, the validation of js is working, the sending of email is correct, but checking of php and voucher validation is not working. can someone help me with this. i need to check if the voucher code exist, if so delete it in the database but check if the form is complete first. if not don't delete, if voucher is correct but form is not fill, dont delete and complete the required field.

<?PHP
		//address error handling.
		$host="localhost"; // Host name 
		$username="username"; // Mysql username 
		$password="password"; // Mysql password 
		$db_name="db_name"; // Database name 
		$tbl_name="tbl_name"; // Table name

		// Connect to server and select databse.
		mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
		mysql_select_db("$db_name")or die("cannot select DB");

	//assign values
		//$salutation = $_POST['salutation'];
		$myvoucher=stripslashes($_POST['voucher']);
		$myvoucher = mysql_real_escape_string($myvoucher);
		$field_color = $_POST['color'];
		$field_voucher = $_POST['voucher'];
		$field_fname = $_POST['First_Name'];
		$field_lname = $_POST['Last_Name'];
		$field_address = $_POST['Address'];
		$field_email = $_POST['Email'];
		$field_phone = $_POST['Phone'];
		$field_mobile = $_POST['Mobile'];


		/**line 1**/
		$field_line1 = $_POST['Line1'];
		$field_fface = $_POST['fface1'];
		$field_fsize = $_POST['fsize1'];
		$field_align = $_POST['align1'];
		/*$field_fstyle = $_POST['textStyle'];*/

		foreach($_POST['textStyle'] as $value) {
				$check_msg1 .= "Checked: $value\n";
			}

		/**line 2**/
		$field_line2 = $_POST['Line2'];
		$field_fface2 = $_POST['fface2'];
		$field_fsize2 = $_POST['fsize2'];
		$field_align2 = $_POST['align2'];
		/**$field_fstyle = $_POST['textStyle2'];*/

		foreach($_POST['textStyle2'] as $value) {
				$check_msg2 .= "Checked: $value\n";
			}

		/**line 3**/
		$field_line3 = $_POST['Line3'];
		$field_fface3 = $_POST['fface3'];
		$field_fsize3 = $_POST['fsize3'];
		$field_align3 = $_POST['align3'];
		/**$field_fstyle = $_POST['textStyle3'];*/

		foreach($_POST['textStyle2'] as $value) {
				$check_msg3 .= "Checked: $value\n";
			}

		/**border**/
		$field_border = $_POST['border'];
		$field_border_style = $_POST['border_Style'];

		
	if (isset ($_POST['enter'])) { // Handle the form.	

	//check voucher
	//$voucherchk = mysql_query("SELECT * FROM shinygame WHERE email = '$email'");   
	$sql=mysql_query("SELECT * FROM $tbl_name WHERE voucher='$myvoucher'");

	//end check voucher
	
	$problem = FALSE; //no problem
	
	$themessage = "You are required to complete the following fields: "; 
	if (empty($field_voucher)){
	$problem = TRUE;
	$themessage.= 'enter voucher';
	}
	if (empty($field_fname)){
	$problem = TRUE;
	$themessage.= ', First Name';
	}
	if (empty($field_lname)){
	$problem = TRUE;
	$themessage.= ', Last Name';
	}
	if (empty($field_address)){
	$problem = TRUE;
	$themessage.= ', Home address';
	}
	if (empty($field_email)){
	$problem = TRUE;
	$themessage.= ', Email address';
	}
	if (empty($field_mobile)){
	$problem = TRUE;
	$themessage.= ', Contact no.';
	}
	if (mysql_num_rows($voucherchk) > 0){ 
    $problem = TRUE; 
    $query = "DELETE FROM $tbl_name WHERE voucher='$myvoucher'";
    }  
	 //Print alert box with error message if there is a problem
    if($problem) {
    print("<script>alert('$themessage')</script>");
    } 
	
	if (!$problem){

	// Define the query.
	
	$query = "DELETE FROM $tbl_name WHERE voucher='$myvoucher'";
	
	// Execute the query.
	if (@mysql_query ($query)) {

		$mail_to = $field_email;
		$subject = 'Voucher Prize';

		$body_message = 'Hi'.$field_fname."\n";
		$body_message = 'Voucher no.: '.$field_voucher."\n";
		$body_message .= 'From: '.$field_fname."\n";
		$body_message .= 'E-mail: '.$field_email."\n";
		$body_message .= 'Address: '.$field_address."\n";
		$body_message .= 'Phone: '.$field_phone."\n";
		$body_message .= 'Mobile: '.$field_mobile."\n";
		$body_message .= 'Machine Color: '.$field_color."\n\n";

		$body_message .= 'Line 1: '.$field_line1."\n";
		$body_message .= 'Font Face: '.$field_fface."\n";
		$body_message .= 'Font Size: '.$field_fsize."\n";
		$body_message .= 'Alignment: '.$field_align."\n";
		$body_message .= 'Font Style:'.$check_msg1."\n\n";

		$body_message .= 'Line 2: '.$field_line2."\n";
		$body_message .= 'Font Face: '.$field_fface2."\n";
		$body_message .= 'Font Size: '.$field_fsize2."\n";
		$body_message .= 'Alignment: '.$field_align2."\n";
		$body_message .= 'Font Style:'.$check_msg2."\n\n";

		$body_message .= 'Line 3: '.$field_line3."\n";
		$body_message .= 'Font Face: '.$field_fface3."\n";
		$body_message .= 'Font Size: '.$field_fsize3."\n";
		$body_message .= 'Alignment: '.$field_align3."\n";
		$body_message .= 'Font Style:'.$check_msg3."\n\n";

		$body_message .= 'Border Size: '.$field_border."\n";
		$body_message .= 'Border Style: '.$field_border_style."\n";

		$headers = 'From: '.$field_email."\r\n";
		$headers .= 'Reply-To: '.$field_email."\r\n";

		$mail_status = mail($mail_to, $subject, $body_message, $headers);


		echo "<script> alert(\"Your information has been mailed to your email address.\") </script>";
		echo "<script type=\"text/javascript\">";
		echo "window.location.href = 'http://www.website.com'";
		echo "</script>"; 

		
		
		
		}
		else {
		print "<p>invalid voucher code<b>" . mysql_error() . "</b>. The query was $query.</p>";
			}

			mysql_close();
			}

		} 		
		?>


  • 0

#19 Jmancuso

Jmancuso

    CC Regular

  • Member
  • PipPipPip
  • 45 posts

Posted 06 March 2012 - 04:17 AM

Blank
  • 0





Also tagged with one or more of these keywords: login

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download