Alright. I have this contest signup form with 3 fields that inserts it into a mySQL DB... as well as emailing it. I am adding this code that will check the form for the users current IP, and disallow the submission if it exists.
This seems to be executing without error now... but it allows multiple submissions from the same开发者_如何学Python IP. Anything jump out as incorrect?
FULL CODE BELOW:
<?php //include the connection file
require_once('connection.php');
function sanitize($value, $type)
{
$value = (!get_magic_quotes_gpc()) ? addslashes($value) : $value;
switch ($type) {
case "text":
$value = ($value != "") ? "'" . $value . "'" : "NULL";
break;
case "long":
case "int":
$value = ($value != "") ? intval($value) : "NULL";
break;
case "double":
$value = ($value != "") ? "'" . doubleval($value) . "'" : "NULL";
break;
case "date":
$value = ($value != "") ? "'" . $value . "'" : "NULL";
break;
}
return $value;
}
//save the data on the DB and send the email
if(isset($_POST['action']) && $_POST['action'] == 'submitform')
{
//recieve the variables
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$ip = gethostbyname($_SERVER['REMOTE_ADDR']);
mysql_select_db($database, $connection);
$QUERY = "SELECT COUNT(IP) AS `count` FROM `contest` WHERE IP = 'value'";
$RESULT = mysql_query($QUERY) or die(mysql_error());
// Read the firs row
$row = mysql_fetch_assoc($RESULT);
// Check how many rows MySQL counted
if($row['count'] > 0) {
echo "value already exists";
}
else {
//save the data on the DB
mysql_select_db($database, $connection);
$insert_query = sprintf("INSERT INTO contest (First_Name, Last_Name, Email_Address, Date, ip) VALUES (%s, %s, %s, NOW(), %s)",
sanitize($firstname, "text"),
sanitize($lastname, "text"),
sanitize($email, "text"),
sanitize($ip, "text"));
$result = mysql_query($insert_query, $connection) or die(mysql_error());
if($result)
{
//send the email
$to = "EMAIL ADDY";
$subject = "SUBJECT LINE";
//headers and subject
$headers = "MIME-Version: 1.0rn";
$headers .= "Content-type: text/html; charset=iso-8859-1rn";
$headers .= "From: ".$firstname." <".$email.">rn";
$body = "New contact
";
$body .= "First Name: ".$firstname."
";
$body .= "Last Name: ".$lastname."
";
$body .= "Email: ".$email."
";
$body .= "IP: ".$ip."
";
mail($to, $subject, $body, $headers);
//ok message
header ('Location: thanks.html');
exit ();
}
}
}
?>
You need to use backticks instead of single quotes to escape table names/reserved words:
$QUERY = "SELECT COUNT(IP) AS `count` FROM `contest` WHERE IP = 'value'";
Also if your IP column is string you need to enclose the value for that in single quotes :-)
精彩评论