Sign up form

[Bob]

Hi,

So I’m creating a website for an event. I want people to be able to sign up at the website with their name, phone number etc.

I want to display each name of everyone who signed up on a certain page of my website so everyone can see who signed up already. I was wondering what is the best way of doing this?

I was thinking of sending the inputs to a database and then on the page I want to display them on, get them out of the database and output them. I haven’t got any code yet or a live site, but I was just wondering what was the best way.

Thanks

Im using wordpress btw.

[Bob]

Bump :)

I suppose the way to do this is as I said above, by using a mysql query to save and get the data from the database again? Any examples of that?

[eip56]

Hello Bob,

Since you are wanting to get data from the user as you specified it would be practical for you to store it in a database. Especially if you plan on utilizing that data in some way in the future for the actual event.

As far as displaying the information, retrieving it from the database is the most practical solution. I would give you a code example, however you did not specify the language that you will be using. Maybe PHP?

[Bob]

Sorry for the late response – I was away for a while.

Thanks for your response, I indeed will be using PHP.

I was wondering though what was the correct way of securing these forms. I know persons can input stuff in the input field that can mess up your database or website, so I would like to know how to prevent such things from happening. What is a good way of making sure nothing is inputted that can disrupt things and have a secure way of saving the inputs in the database?

[ddliu]

Hi Bob,

You should have some validation and cleanup on data input by user to avoid XSS Attack and SQL Injection Attack.

Below is a simple example in PHP and Mysql.

Suppose you have a html form posting following data to add_contact.php:
first_name;
last_name;
email;
address;

add_contact.php

//connect to db

$conn=mysql_connect("localhost", 'mysql_user', 'mysql_password');

mysql_select_db('mydb',$conn);



//form data

$form_data=array(

'first_name'=>$_POST,

'last_name'=>$_POST,

'email'=>$_POST,

'address'=>$_POST,

);



//trim data

$form_data=array_map('trim',$form_data);



//do simple validation

if(!$form_data || !$form_data || !$form_data || !$form_data)

{

die('Invalid data');

}



//escape before insert to db to prevent SQL Injection Attack

$form_data=array_map('mysql_real_escape_string',$form_data);



//insert to db

mysql_query("INSERT INTO contacts(first_name,last_name,email,address) VALUES ('{$form_data}','{$form_data}','{$form_data}','{$form_data}')");



//close db connection

mysql_close($conn);



//show success message

echo "Add success";

Then the list page
contact_list.php

...//init db connection



//get data

$query=mysql_query("SELECT * FROM contacts LIMIT 10");

//loop and show each entry

while($row=mysql_fetch_assoc($query))

{

//convert html chars to prevent XSS Attack

$row=array_map('html_special_chars',$row);



//convert new line to 
 to keep the layout

$row=array_map('nl2br',$row);



echo "First name:".$row."
";

echo "Last name:".$row."
";

echo "Email:".$row."
";

echo "Address:".$row."
";

echo "
";

}



mysql_close($conn);

Note that it’s just a simple example for doing that, to learn more about PHP, you can visit php website: http://www.php.net

—
dong

[Bob]

That looks great and is definitely helping me get further, thanks for this!

I have a question about some part of the code though, namely this:

//do simple validation

if(!$form_data || !$form_data || !$form_data || !$form_data)

{

die('Invalid data');

}

The validation. I don’t really understand what it says.. its an if statement, but it doesn’t seem to compare or check an input value against a set value, if that makes sense.. usually, its something like: If.. 5+5 = 10 then output “thats correct” else “nope thats wrong”. I can only see there is an exclamation mark in front of each $form_data[…] but I dont really understand it fully I think.

Also, thats whats causing problems for when testing this out. It outputs “Invalid data”, whereas I only filled in my name in the fields.. can someone help?

[mshort1985]

@Bob, if i’m not mistaken the if statement is only checking to make sure there is actual data given in the fields and none are left blank.

you can check if something is true or not simply by doing something like
if($form_data) {

}

if theres nothing in the field, it will return false if theres something in it it will return true.

in the example ddliu gave, he had put !$form_data in the if statement, along with the other fields as well. the ! before it basicly means, if its not true, then do what ever is inside the if statement.

[ddliu]

The if scope is just a simple validation which means that every field should not be empty.

If any field not input, the script will quit and show an error message “Invalid data”.(die will stop the script, and the script will not be continued anymore)

For more complex validation, you should change this scope.

For example, to check the email, you may use regular expression; you may also limit the string length of first name and last name.

I’ve created a gist here: https://gist.github.com/f86c0424202c03be8d79

//validate first name

if(strlen($form_data)>30)

{

die('First name too long');

}



//validate last name

if(strlen($form_data)>30)

{

die('Last name too long');

}



//validate email

if(!preg_match('#^[a-z]([a-z0-9]*[-_.]?[a-z0-9]+)*@([a-z0-9]*[-_]?[a-z0-9]+)+[.][a-z]{2,3}([.][a-z]{2})?$#i',$form_data)

{

die('Invalid email address');

}

[Author]

Posts