That's great - thanks very much.
Just a related question if that's ok: as mentioned I have this form on each of the pages of the site that allows users to sign up for a newsletter. The following shows one of the input fields in the form:
<div>
<input id="firstname" name="firstname" type="text" value="First name" onfocus="if (this.value == 'First name') this.value=''" onblur="if (this.value == '') this.value='First name'" />
<?php
if (ValidatedField('index_965','index_965')) {
if ((strpos((",".ValidatedField("index_965","index_965").","), "," . "1" . ",") !== false || "1" == "")) {
if (!(false)) {
?>
<span style="color: red; margin: 0; padding: 0;"> First name is required </span>
<?php //WAFV_Conditional index.php index_965(1:)
}
}
}?>
</div>
I used a Data Assist insert server behaviour to insert the contents of the form into a DB table. The following is the code produced by the server behaviour:
<?php require_once("/home/site/private/newsletter.php"); ?>
<?php require_once("../WA_DataAssist/WA_AppBuilder_PHP.php"); ?>
<?php require_once("../WA_ValidationToolkit/WAVT_Scripts_PHP.php"); ?>
<?php require_once("../WA_ValidationToolkit/WAVT_ValidatedForm_PHP.php"); ?>
<?php
if (isset($_POST["submit"])) {
$WAFV_Redirect = "";
$_SESSION['WAVT_index_965_Errors'] = "";
if ($WAFV_Redirect == "") {
$WAFV_Redirect = $_SERVER["PHP_SELF"];
}
$WAFV_Errors = "";
$WAFV_Errors .= WAValidateRQ(((isset($_POST['firstname']) && $_POST['firstname'] != "First Name")?$_POST['firstname']:"") . "",false,1);
$WAFV_Errors .= WAValidateRQ(((isset($_POST['lastname']) && $_POST['lastname'] != "Last Name")?$_POST['lastname']:"") . "",false,2);
$WAFV_Errors .= WAValidateEM(((isset($_POST["email"]))?$_POST["email"]:"") . "",true,3);
if ($WAFV_Errors != "") {
PostResult($WAFV_Redirect,$WAFV_Errors,"index_965");
}
}
?>
<?php
// WA Application Builder Insert
if (isset($_POST["submit"])) // Trigger
{
$WA_connection = $newsletter;
$WA_table = "subscriptions";
$WA_sessionName = "subscriptions_subID";
$WA_redirectURL = "";
$WA_keepQueryString = false;
$WA_indexField = "subID";
$WA_fieldNamesStr = "firstname|lastname|email";
$WA_fieldValuesStr = "".((isset($_POST["firstname"]))?$_POST["firstname"]:"") ."" . "|" . "".((isset($_POST["lastname"]))?$_POST["lastname"]:"") ."" . "|" . "".((isset($_POST["email"]))?$_POST["email"]:"") ."";
$WA_columnTypesStr = "',none,''|',none,''|',none,''";
$WA_fieldNames = explode("|", $WA_fieldNamesStr);
$WA_fieldValues = explode("|", $WA_fieldValuesStr);
$WA_columns = explode("|", $WA_columnTypesStr);
$WA_connectionDB = $database_newsletter;
mysql_select_db($WA_connectionDB, $WA_connection);
if (!session_id()) session_start();
$insertParamsObj = WA_AB_generateInsertParams($WA_fieldNames, $WA_columns, $WA_fieldValues, -1);
$WA_Sql = "INSERT INTO `" . $WA_table . "` (" . $insertParamsObj->WA_tableValues . ") VALUES (" . $insertParamsObj->WA_dbValues . ")";
$MM_editCmd = mysql_query($WA_Sql, $WA_connection) or die(mysql_error());
$_SESSION[$WA_sessionName] = mysql_insert_id();
if ($WA_redirectURL != "") {
if ($WA_keepQueryString && $WA_redirectURL != "" && isset($_SERVER["QUERY_STRING"]) && $_SERVER["QUERY_STRING"] !== "" && sizeof($_POST) > 0) {
$WA_redirectURL .= ((strpos($WA_redirectURL, '?') === false)?"?":"&").$_SERVER["QUERY_STRING"];
}
header("Location: ".$WA_redirectURL);
}
}
?>
Since the newsletter form is potentially open to a sql injection, I wondered if the code produced by the server behaviour contained any protection against this security risk. As I don't understand a lot of the code produced, could you tell me if it has taken care of it or whether this is something extra I need to add to the input fields?