PHP mail question

14 posts by 2 authors in: Forums > CMS Builder
Last Post: July 13, 2010   (RSS)

By Jason - July 13, 2010

Hi Jerry,

What you can do is to append variables to the end of the end of the link that you send.

something like this:
...please click on this link or paste it into your browser.<br><br> http://www.thecmsbcookbook.com/confirmed.php?submit=1&email='.$_REQUEST['email'];

Now, this does mean that people can potentially change the email address that they're sending to you, so in the confirmation page, it's a good idea to check to make sure that the email address does exist in your table. Something like this:

$where = "email='".mysql_escape($_REQUEST['email'])."'";

if(mysql_select_count_from('newsletter',$where)){ //check to ensure that email exists in the table
$query = "UPDATE `{$TABLE_PREFIX}newsletter` SET
hidden = '0',
confirmed = '1',
updatedDate = NOW()

WHERE email = '".mysql_escape( $_REQUEST['email'] )."'";
mysql_query($query) or die("MySQL Error:<br/>\n". htmlspecialchars(mysql_error()) . "\n");
$userNum = mysql_insert_id();
// on success
$errorsAndAlerts = "Thanks, your email address has been succesfully added to our maillist";
}
else{
$errorsAndAlerts= "Sorry, that email has not been added to our newsletter list.<br/>";
}
}


Also, you should be fine getting rid of the mysqlStrictMode(false); Just to be careful, comment it out and then give it a try. It should work though.

Hope this helps.
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] PHP mail question

By gkornbluth - July 13, 2010

Thanks Jason,

So I think that you're saying that it's OK to remove the Email entry field on the form but that they might somehow change the submitted Email address anyway?

Best,

Jerry
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By Jason - July 13, 2010

Hi Jerry,

I would keep the email entry form on the confirmation page. Placing the variables at the end of the url in your email is just simulating a form post. However, there is nothing to stop someone from changing the email address when they paste it into the browser (either on purpose, or by accident). The code that I posted does a check to make sure the email in the url string does exist in our table before it tries to update it. If it isn't there, it will display an error message and display the form. This gives the user a chance to type the proper email in, in the case of a mistake. If they fill out the form and submit it, the script will run the same as if they had gotten it from the link.

Hope this makes it a little clearer.
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/