begeiste
10-10-2007, 11:40 PM
Hi,
Not sure why I have added if (ereg('^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$', user still can add a bunch of invalid texts which still be able to added into database?
Here are the scripts:<?php
//set up a couple of functions
function doDB(){
global $conn;
//connect to server and select database; you may need it
$conn = mysql_connect('localhost','root','root') or die (mysql_error());
mysql_select_db('photos') or die (mysql_error());
}
function emailChecker($email){
global $conn, $check_result;
//check that email is not already in list
$check = "select id from subscribers where email = '$email'";
$check_result = mysql_query($check, $conn) or die(mysql_error());
}
function valid_email($email)
{
// check an email address is possibly valid
if (ereg('^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$', $email))
return true;
else
return false;
}
//determine if they need to see the form or not
if($_POST[op] !="ds"){
//they do, so create form block
$display_block = "
<form method=POST action=\"$_SERVER[PHP_SELF]\" class='rmessage'>
<p><b>Your email address:</b><br>
<input type=text name=\"email\" size=40 maxlength=150>
<p><b>Action:</><br>
<input type=radio name=\"action\" value=\"sub\" checked>Subscribe
<input type=radio name=\"action\" value=\"unsub\">Unsubscribe
<input type=\"hidden\" name=\"op\" value=\"ds\">
<p><input type=submit name=\"submit\" value=\"Submit Form\"></p>
</form>";
}else if(($_POST[op] == "ds") && ($_POST[action] == "sub")){
//trying to subscribe; validate email address
if($_POST[email] == ""){
header("Location: manage.php");
exit;
}
//connect to database
doDB();
//check that email is in list
emailChecker($_POST[email]);
//get number of results and do action
if(mysql_num_rows($check_result) < 1){
//add record
$sql = "insert into subscribers values('','$_POST[email]')";
$result = mysql_query($sql) or die (mysql_error());
$display_block = "<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; padding-top:20px; padding-left:10px; padding-right:10px;padding-bottom:10px; border:solid 1px #000;'>Thanks for signing up!<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>";
}else {
//print failure message
$display_block = "<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; padding-top:20px; padding-left:10px; padding-right:10px; padding-bottom:10px; border:solid 1px #000;'>You're already subscribed!<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>";
}
}else if(($_POST[op] == "ds") && ($_POST[action] == "unsub")){
//trying to unsubscribe; variable email address
if($_POST[email] == ""){
header("Location: manage.php");
exit;
}
//connect to database
doDB();
//check that email is in list
emailChecker($_POST[email]);
//get number of results and do action
if(mysql_num_rows($check_result) < 1){
//print failure message
$display_block = "
<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; border:solid 1px #000; padding-top:20px; padding-left:10px; padding-right:10px;padding-bottom:10px;'>Couldn't find your address!<br>No action was taken.<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>";
}else{
//unsubscribe the address
$id = mysql_result($check_result, 0, "id");
$sql = "delete from subscribers where id ='$id'";
$result = mysql_query($sql) or die(mysql_error());
$display_block = "<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; border:solid 1px #000; padding-top:20px; padding-left:10px; padding-right:10px;padding-bottom:10px;'>You're unsubscribed!<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>";
}
}
?>
<html>
<head>
<title>Subscribe/Unsubscribe</title>
<style>
h1{font-family:Arial, Helvetica, sans-serif; font-size:16px; background-color:#FF9900; height:40px; padding:10px 0 0 10px;}
body {background-color: #666666;}
.top{height:60px; background-color:#FFCC33; width:50%; margin-left:auto; margin-right:auto; padding:10px; border-top:solid 1px #000;border-left:solid 1px #000;border-right:solid 1px #000;}
.rmessage{background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; padding:10px; border:solid 1px #000;}
</style>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>
<body>
<div class="top"><h1>Subscribe/Unsubscribe</h1><div style="font-family:Arial, Helvetica, sans-serif; font-size:10px; color:#666666; padding-top:5px;">We'll send you our News Letter frequently</div></div>
<?php echo "$display_block"; ?>
</body>
</html>
Not sure why I have added if (ereg('^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$', user still can add a bunch of invalid texts which still be able to added into database?
Here are the scripts:<?php
//set up a couple of functions
function doDB(){
global $conn;
//connect to server and select database; you may need it
$conn = mysql_connect('localhost','root','root') or die (mysql_error());
mysql_select_db('photos') or die (mysql_error());
}
function emailChecker($email){
global $conn, $check_result;
//check that email is not already in list
$check = "select id from subscribers where email = '$email'";
$check_result = mysql_query($check, $conn) or die(mysql_error());
}
function valid_email($email)
{
// check an email address is possibly valid
if (ereg('^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$', $email))
return true;
else
return false;
}
//determine if they need to see the form or not
if($_POST[op] !="ds"){
//they do, so create form block
$display_block = "
<form method=POST action=\"$_SERVER[PHP_SELF]\" class='rmessage'>
<p><b>Your email address:</b><br>
<input type=text name=\"email\" size=40 maxlength=150>
<p><b>Action:</><br>
<input type=radio name=\"action\" value=\"sub\" checked>Subscribe
<input type=radio name=\"action\" value=\"unsub\">Unsubscribe
<input type=\"hidden\" name=\"op\" value=\"ds\">
<p><input type=submit name=\"submit\" value=\"Submit Form\"></p>
</form>";
}else if(($_POST[op] == "ds") && ($_POST[action] == "sub")){
//trying to subscribe; validate email address
if($_POST[email] == ""){
header("Location: manage.php");
exit;
}
//connect to database
doDB();
//check that email is in list
emailChecker($_POST[email]);
//get number of results and do action
if(mysql_num_rows($check_result) < 1){
//add record
$sql = "insert into subscribers values('','$_POST[email]')";
$result = mysql_query($sql) or die (mysql_error());
$display_block = "<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; padding-top:20px; padding-left:10px; padding-right:10px;padding-bottom:10px; border:solid 1px #000;'>Thanks for signing up!<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>";
}else {
//print failure message
$display_block = "<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; padding-top:20px; padding-left:10px; padding-right:10px; padding-bottom:10px; border:solid 1px #000;'>You're already subscribed!<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>";
}
}else if(($_POST[op] == "ds") && ($_POST[action] == "unsub")){
//trying to unsubscribe; variable email address
if($_POST[email] == ""){
header("Location: manage.php");
exit;
}
//connect to database
doDB();
//check that email is in list
emailChecker($_POST[email]);
//get number of results and do action
if(mysql_num_rows($check_result) < 1){
//print failure message
$display_block = "
<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; border:solid 1px #000; padding-top:20px; padding-left:10px; padding-right:10px;padding-bottom:10px;'>Couldn't find your address!<br>No action was taken.<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>";
}else{
//unsubscribe the address
$id = mysql_result($check_result, 0, "id");
$sql = "delete from subscribers where id ='$id'";
$result = mysql_query($sql) or die(mysql_error());
$display_block = "<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; border:solid 1px #000; padding-top:20px; padding-left:10px; padding-right:10px;padding-bottom:10px;'>You're unsubscribed!<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>";
}
}
?>
<html>
<head>
<title>Subscribe/Unsubscribe</title>
<style>
h1{font-family:Arial, Helvetica, sans-serif; font-size:16px; background-color:#FF9900; height:40px; padding:10px 0 0 10px;}
body {background-color: #666666;}
.top{height:60px; background-color:#FFCC33; width:50%; margin-left:auto; margin-right:auto; padding:10px; border-top:solid 1px #000;border-left:solid 1px #000;border-right:solid 1px #000;}
.rmessage{background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; padding:10px; border:solid 1px #000;}
</style>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>
<body>
<div class="top"><h1>Subscribe/Unsubscribe</h1><div style="font-family:Arial, Helvetica, sans-serif; font-size:10px; color:#666666; padding-top:5px;">We'll send you our News Letter frequently</div></div>
<?php echo "$display_block"; ?>
</body>
</html>