PHP and stoopid code

[fisicx]

I'm busy working on a site that will sell printed cards announcing the birth of a rugrat. The customer enters the baby's details into a form and submits. We run the details through a validator and then want the customer to check the details before the order is sent (by email).

I suspect that it's really easy to but I can't figure it out:

1. Complete form and submit.
2. Sanitize and validate.
3. Display details for customer to check.
4. Click on a button to place order.
5. Make payment.

It's step 4 I can't do. How do I get everything to stop until the visitor clicks on the 'place order' link and the php mail() function executes.

 

[DanHarrison]

Am confused. How are you trying to implement this? As an actual site? Are you writing a wizard type interface? I'd store the details in database with a pending state. Them pressing on the button changes the data into a ready state, and processing continues.

Dan

 

[fisicx]

Much simpler than that. It's a form which gets completed, the customer checks the details and then pays for the cards. If they want to make changes they can return to the form and resubmit. Trouble is, every time they resubmit a new email gets sent. All we want to do I pause the email submission until the customer is happy with the info.

I wouldn't even know where to start setting up a database. My programming skills are pretty much limited to processing forms and sending an email.

 

[DanHarrison]

Then I suggest adding a checkbox that requires that the user confirms they are happy with the final design (business card places have a checkbox next to a T&C to say any changes are final, and any mistakes are not their fault).

Just check that the checkbox is ticked in the form before sending the email.

Dan

 

[awebapart.com]

One approach to this problem is to have the one form, one php file which posts back to itself, and the back end processing in the php file understands the concept of different states, (e.g. the initial entry state, the validation/error reporting state, the ok/confirmation state, the completion state). Sometimes it is easier to combine some of the earlier states, and server-side redirect to another URL once the confirmation is done. In the testing of this type of process, make sure you test for when the user hits F5 browser refresh or hits the back button.

I would also recommend reconsidering the "order is only stored in an email approach" as emails can get lost, perhaps backing up "plan a" email with a "plan b" of a more permanent record of an order, albeit in a database (preferable) or even some form of file log.

 

[fisicx]

This is why I don't do programming!

Think we might have a workaround here but the DB is something I've been shying away from for no other reason than I haven't got a clue where to start (this real real shoestring project for a UKBF member).

 

[FireFleur]

You need a persistent data storage location.

Ultimately you need session control, because HTTP is effectively stateless.

The problem is you are over simplifying the concept, the flow is not what you have shown, as regards to the application, it is close to this:

1. Form Submission tied to session.
2. Form Data Validated
3. Data stored against session
4. Details Shown Button Displayed

That is one request

5. Form Submitted tied to session
6. Data retrieved
7. Email sent

Second request complete

You can do this all in JavaScript though, and keep it all client side.

 

[fisicx]

That's the workaround we have come up with. After validation the details are displayed, the customer then goes back and amends the details of clicks on OK and is taken to a new page where the email is sent and the payment options displayed.

 

[FireFleur]

JavaScript?

Yeah, well it is not right, but most run with JavaScript enabled so it won't make too much of a difference.

You still need to validate server side, just in case they turn it off.

 

[fisicx]

No, it's all php.

The whole process works really well it was just the possiblity of ending up with repeated emails from a client if they kept changing the details.

If you want to see the work in progress a PM will suffice.

 

[FireFleur]

Well if you have state maintained, then drop out the email until the confirmation.

The thing to realise is the state blocks, it is not a continuous set of instructions it has to be modular.

So a different function handles the emailing, than the validation and you can change flow or call the different function itself to make it more obvious.

I will send you a PM if you want me to see if there is quick way to block the email until final acceptance.

It could be as simple as supplying two submits one to validate and one to confirm.

 

[edmondscommerce]

something like

<?php

if(!empty($_POST){
foreach($_POST as $k=>$p){
$_POST['$k'] = my_sanitise_function($p);
}
if($_POST['update_submit']==='submit'){
my_mail_function();
}
}

<form method="post">
<input name="blah1" value="<?=$_POST['blah1']?>">
<input name="blah2"  value="<?=$_POST['blah2']?>">
<input name="blah3"  value="<?=$_POST['blah3']?>">
<select name="update_submit"><option value="update">update</option><option value="submit">submit</option></select>
<input type="submit">
</form>

 

[DanHarrison]

It's worth learning how to work with a MySQL database. It is really really easy. There are plenty of MySQL+PHP starter guides.

Dan

 

[fisicx]

Thanks everyone, realised now what a chump I was - php is all handled server side so there isn't any user input.

What I'm going to do is hold the message as hidden fields until the user moves onto the payment option then the email gets sent.

Got lots of good things to play with now.

 

[edmondscommerce]

look into storing things in the session rather than passing around hidden fields..

not a very secure approach..

session stuff is really quite easy in php

<?php
session_start();
$_SESSION['something']='blah';
?>

 

[fisicx]

look into storing things in the session rather than passing around hidden fields..

not a very secure approach..

session stuff is really quite easy in php

<?php
session_start();
$_SESSION['something']='blah';
?>

Can the blah be $_POST['something']; so you have

$_SESSION['something']=$_POST['something'];

 

[edmondscommerce]

yes though sanitize

$_SESSION['something'] = my_sanitize_function($_POST['blah']);

$_SESSION is a super global like $_POST - you can make $_SESSION['something'] be anything you can do with any other variable - eg array, string, integer... whatever

 

[jadexsoln]

One approach to this problem is to have the one form, one php file which posts back to itself, and the back end processing in the php file understands the concept of different states, (e.g. the initial entry state, the validation/error reporting state, the ok/confirmation state, the completion state). Sometimes it is easier to combine some of the earlier states, and server-side redirect to another URL once the confirmation is done. In the testing of this type of process, make sure you test for when the user hits F5 browser refresh or hits the back button.

I would also recommend reconsidering the "order is only stored in an email approach" as emails can get lost, perhaps backing up "plan a" email with a "plan b" of a more permanent record of an order, albeit in a database (preferable) or even some form of file log.

I would second this approach and this is often how I do it - post the form back to itself with a flag set in the URL.

If you don't want to go to the trouble of using a database, PHP can easily log the order to a file (CSV, XML however you want to structure it) just in case the e-mail gets lost.

All contained in PHP, so no issue if the user has JavaScript turned off in his/her browser.

 

[Red Eye Media]

Shove all of the data into a database and use your payment service provider to send the user back to a script that alters the status of the order and sends the email.
This way, you will only receive the email if the person has paid.

 

[FireFleur]

Well it does handle user input, it handles it on the server side via the post or get request.

But I know what you mean by that, and it is quite funny; Coldfusion, PHP and ASP heads all seem to have that problem at the start, it is because the language is designed to look like markup, which is just bizarre but there you go

 

[dalton88]

Use sessions to pass all the form details across to the next page then echo it all to the page with a tick box and button. Then send the email.

good place to learn coding http://www.w3schools.com/
Something like:

<?php session_start();
$_SESSION['name']=$_POST["name"];
$_SESSION['age']=$_POST["age"];
echo"Your name is: " . $_SESSION['name'] . "<BR>";
echo"Your age is: " . $_SESSION['age'] ;
$to = "[email protected]";
$subject = "Test mail";
$message = "Your name is: " . $_SESSION['name'] . "<BR>Your age is: " . $_SESSION['age'];
$from = "[email protected]";
$headers = "From: $from";
mail($to,$subject,$message,$headers);
echo "Mail Sent.";

dont no if that helps or not.

 

[fisicx]

Getting to grips with things now and just tentatively experimenting with an My_sql DB (with the help of xamplite).

My sanitizing was very clunky so am considering using filter_var() but can't find a list of options. I'm OK with FILTER_VALIDATE_EMAIL and FILTER_SANITIZE_STRING but what else is there?

 

[FireFleur]

http://uk2.php.net/manual/en/function.filter-list.php

Yeah they don't make that easy to find, one of the good things about PHP is that site, it is often quite comprehensive but I think it builds up over time, as people add to the pages.

It doesn't match your SANITIZE_STRING though exactly so they are being defined elsewhere and related to the list.

 

[fisicx]

Yarp, maybe there needs to be a PHP tutorial in using the PHP manual.

Anyway, also found this: http://mattiasgeniar.be/2009/02/07/input-validation-using-filter_var-over-regular-expressions/ which is pretty comprehensive list.

And I will send you the files Fire Fleur, got very experimental last night and it all stopped working. Note to self: keep track of your code changes so you can fix things when you balls it all up.

 

[edmondscommerce]

http://uk2.php.net/manual/en/filter.constants.php

for regex I would always recommend using the preg_ family rather than the ereg family

 

[FireFleur]

Server side for web the general form is this:

Input Handling
Database Access
Variables for display
Display to STDOUT

If you separate into four function those steps it tends to be easier to unwind stuff.

A template nearly forces content to be separated but you can do it with includes and functions as well in PHP.

 

[fisicx]

Ooky dookie,

Gave up on filter_var(), I just couldn't get it to work. Needs more investigation when I have more time.

So it's back to the good old tried and tested sanitizing. But how can I get it to accept punctuation?

using preg_match I want it to accept a-z A_Z 0-9, period and comma but nowt else.

I can do the a-z A_Z 0-9 but the punctuation eludes me.

 

[FireFleur]

The period is a character, so . is any character.

\. is a full stop, you have gone all US on us

Comma should be ok.

Probably where slashdot gets its name from.

 

[fisicx]

So it's sanitse not sanitize. And why can't I have colour:red and text-align:centre.

Slashdot... so simple really.

does that mean a slash is \\

 

[FireFleur]

Yes, \ is an escape character.

I was talking about period for your Americansim, but yes sanitise as well

Actually no, for sanitise I think it is spelt with z, have to go and check now

Hmm it is around just not in my system dictionary.

 

[edmondscommerce]

always confusing..

I think your saniti(s|z)e function should look like this:

$output = preg_replace('%[^0-9a-z\.,]%i', '', $input);

 

[ozbon]

Probably where slashdot gets its name from.

I think you'll find Slashdot gets its name from /. This is used in Unix for returning to the top level directory in your file system.

 

[edmondscommerce]

just came across this..

http://code.google.com/p/inspekt/

 

[FireFleur]

Well Slashdot was authored in Perl

But here is his reason:

http://slashdot.org/faq/slashmeta.shtml

cd / is all that is required the /. there the dot is superfluous, you could go cd /./././././././ and let it be a sort of self referencing joke

I will put his reason though, h t t p colon slash slash slash dot dot org

 

[serendipitybusiness]

Can't you take out the email string at part 4 and just use the validation string then add the email string on the final submit?