Form results email when its loads and when it's submitted

Report · Jan 21, 2010

I have a form that sends the results to a database and also e-mails the results to me once the. It works, however, I get two e-mails send to me. The first is when the page is loaded, and the second is when the form is filled and submitted. Obviously I don't want it to send an email with blank results just because the page was accessed. Somewhere in my code I need to correct that it only should email on submit. I'm still learning and it took me a while to get to this point. Could someone look at my code and see what I've done wrong? Thanks. Patty

<?php require_once('../../../../Connections/BidContractReg.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue= get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
}
return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
$insertSQL = sprintf("INSERT INTO Results (`Date`, Company, FirstName, LastName, MailingAddress, City, `State`, Zip, Contact, Title, Phone, Fax, Email, Website, Name, PhoneNumber, Emailcontact) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['date'], "text"),
                       GetSQLValueString($_POST['company'], "text"),
                       GetSQLValueString($_POST['firstname'], "text"),
                       GetSQLValueString($_POST['lastname'], "text"),
                       GetSQLValueString($_POST['mailingaddress'], "text"),
                       GetSQLValueString($_POST['city'], "text"),
                       GetSQLValueString($_POST['state'], "text"),
                       GetSQLValueString($_POST['zip'], "text"),
                       GetSQLValueString($_POST['contact'], "text"),
                       GetSQLValueString($_POST['title'], "text"),
                       GetSQLValueString($_POST['phone'], "text"),
                       GetSQLValueString($_POST['fax'], "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['website'], "text"),
                       GetSQLValueString($_POST['Name'], "text"),
                       GetSQLValueString($_POST['phonenumber'], "text"),
                       GetSQLValueString($_POST['emailcontact'], "text"));

mysql_select_db($database_BidContractReg, $BidContractReg);
$Result1 = mysql_query($insertSQL, $BidContractReg) or die(mysql_error());

$insertGoTo = "HVAC/confirmation.htm";
if (isset($_SERVER['QUERY_STRING'])) {
$insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
$insertGoTo .= $_SERVER['QUERY_STRING'];
}
header(sprintf("Location: %s", $insertGoTo));
}

mysql_select_db($database_BidContractReg, $BidContractReg);
$query_Recordset1 = "SELECT * FROM Results";
$Recordset1 = mysql_query($query_Recordset1, $BidContractReg) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

$emailSubject ='HVAC_Bid_Registration';
$webmaster = 'pearcep@cfbisd.edu';

$datefield = $_POST['date'];
$companyfield = $_POST['company'];
$firstnamefield = $_POST['firstname'];
$lastnamefield = $_POST['lastname'];
$mailingaddressfield = $_POST['mailingaddress'];
$cityfield = $_POST['city'];
$statefield = $_POST['state'];
$zipfield = $_POST['zip'];
$contactfield = $_POST['contact'];
$phonefield = $_POST['phone'];
$faxfield = $_POST['fax'];
$emailfield = $_POST['email'];
$websitefield = $_POST['website'];
$Namefield = $_POST['Name'];
$phonenumberfield = $_POST['phonenumber'];
$emailcontactfield = $_POST['emailcontact'];

$body = <<<EOD

Date: $date
Company: $company
Firstname: $firstname
Lastname: $lastname
Mailingaddress: $mailingaddress
City: $city
State: $state
Zip: $zip
Contact: $contact
Phone: $phone
Fax: $fax
Email: $email
Website: $website
Namefield: $namefield
Phonenumber: $phonenumber
Emailcontact: $emailcontact

EOD;

$header = "From: $email\r\n";
$headers .= "Content-type: text/html\r\n";
$success =mail ($webmaster, $emailSubject, $body, $header);

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>BidRegFormPDH</title>
<style type="text/css">

</style>
<script type="text/javascript">

</script>
</head>

<body>
<form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>">
<div id="apDiv1">
    <p><img src="../../../../Images/images/CFB-LOGO-V-red-black-with-tag[1].GIF" width="55" height="56" alt="cfb" /><br />
    Bid Registration Form<font color="#330099" size="2" face="Tahoma"><br />
    <br />
    <span class="font">Please provide your company's contact information below, and click the
    submit button to access the bid contract information.</span></font></p>
</div>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><br />
    <img src="../../../../Images/images/Bars/Red Bar.jpg" width="939" height="13" alt="bar" /><br />
<img src="../../../../Images/images/Bars/Blue Bar_edited-1.jpg" width="939" height="18" alt="bar" /></p>
<table border="0" cellspacing="1" cellpadding="1">
    <tr>
      <td>Date</td>
      <td><label>
        <input name="date" type="text" id="date" size="30" />
      </label></td>
    </tr>
    <tr>
      <td>Company Name</td>
      <td><label>
        <input name="company" type="text" id="company" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>First Name</td>
      <td><label>
        <input name="firstname" type="text" id="firstname" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>Last Name</td>
      <td><label>
        <input name="lastname" type="text" id="lastname" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>Mailing Address</td>
      <td><label>
        <input name="mailingaddress" type="text" id="mailingaddress" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>City</td>
      <td><label>
        <input name="city" type="text" id="city" size="30" />
      </label></td>
    </tr>
    <tr>
      <td>State</td>
      <td><label>
        <input name="state" type="text" id="state" size="30" />
      </label></td>
    </tr>
    <tr>
      <td>Zip</td>
      <td><label>
        <input name="zip" type="text" id="zip" size="30" />
      </label></td>
    </tr>
    <tr>
      <td> </td>
      <td> </td>
    </tr>
    <tr>
      <td>Contact Name for Bids</td>
      <td><label>
        <input name="contact" type="text" id="contact" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>Title</td>
      <td><label>
        <input name="title" type="text" id="title" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>Phone</td>
      <td><label>
        <input name="phone" type="text" id="phone" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>Fax</td>
      <td><label>
        <input name="fax" type="text" id="fax" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>Email</td>
      <td><label>
        <input name="email" type="text" id="email" size="50" />
      </label></td>
    </tr>
    <tr>
      <td> </td>
      <td> </td>
    </tr>
    <tr>
      <td>Website</td>
      <td><label>
        <input name="website" type="text" id="website" size="50" />
      </label></td>
    </tr>
    <tr>
      <td> </td>
      <td> </td>
    </tr>
    <tr>
      <td>Additional Contact Information:</td>
      <td> </td>
    </tr>
    <tr>
      <td>Name</td>
      <td><label>
        <input name="Name" type="text" id="Name" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>Phone Number</td>
      <td><label>
        <input name="phonenumber" type="text" id="phonenumber" size="50" />
      </label></td>
    </tr>
    <tr>
      <td>Email</td>
      <td><label>
        <input name="emailcontact" type="text" id="emailcontact" size="50" />
      </label></td>
    </tr>
    <tr>
      <td> </td>
      <td> </td>
    </tr>
    <tr>
      <td><label>
        <input name="submit" type="submit" id="submit" value="Submit" />
      </label></td><br />
      <td> </td>
    </tr>
</table>
<p><img src="../../../../Images/images/Bars/Blue Bar.jpg" width="939" height="18" alt="bar" /></p>
<input type="hidden" name="MM_insert" value="form1" onclick="pearcep@cfbisd.edu" />
<input type="hidden" name="MM_insert" value="form1" />
</form>
</body>
</html>
<?php
mysql_free_result($Recordset1);

?>

Report · Jan 22, 2010

There are quite a few things wrong with your page:

You don't need a recordset, because you never to anything with it.
The mail script needs to go inside the conditional statement that performs the Insert Record server behavior. This will make the Insert Record server behavior no longer editable through the Dreamweaver dialog box.
You assign the value of $_POST['email'] to $emailfield, but later use $email, which has no value.
You are putting an unfiltered email address into the headers of the mail() function. This exposes you to a malicious exploit called email header injection, which is likely to turn your form into a spam relay, and get you banned from your hosting company.
You're using two different variables for the email headers: $header and $headers. The variable passed to the mail() function is $header, so the value of $headers is ignored.
You're setting the content-type to text/html, but there's no HTML in the body of your email. Since the content-type is assigned to $headers, the variable that's never used, it makes no difference anyway.

This is where you should move the email script to:

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
 
$insertSQL = sprintf("INSERT INTO Results (`Date`, Company, FirstName,
LastName, MailingAddress, City, `State`, Zip, Contact, Title, Phone,
Fax, Email, Website, Name, PhoneNumber, Emailcontact) VALUES (%s, %s,
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['date'], "text"),
                       GetSQLValueString($_POST['company'], "text"),
                       GetSQLValueString($_POST['firstname'], "text"),
                       GetSQLValueString($_POST['lastname'], "text"),
                       GetSQLValueString($_POST['mailingaddress'], "text"),
                       GetSQLValueString($_POST['city'], "text"),
                       GetSQLValueString($_POST['state'], "text"),
                       GetSQLValueString($_POST['zip'], "text"),
                       GetSQLValueString($_POST['contact'], "text"),
                       GetSQLValueString($_POST['title'], "text"),
                       GetSQLValueString($_POST['phone'], "text"),
                       GetSQLValueString($_POST['fax'], "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['website'], "text"),
                       GetSQLValueString($_POST['Name'], "text"),
                       GetSQLValueString($_POST['phonenumber'], "text"),
                       GetSQLValueString($_POST['emailcontact'], "text"));
  mysql_select_db($database_BidContractReg, $BidContractReg);
  $Result1 = mysql_query($insertSQL, $BidContractReg) or die(mysql_error());
// *******************************************
// Email script goes here
//********************************************
  $insertGoTo = "HVAC/confirmation.htm";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}

If you want to use the visitor's email address as the From header, you must filter it first. As long as your server is running PHP 5.2 or above, you can do this:

if (filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) {
  $email = $_POST['email'];
} else {
  $email = null;
}
$header = "From: $email\r\n";

If your server doesn't support PHP 5.2 or above, it's time to move. Earlier versions of PHP are no longer supported, and are likely to be insecure.