Home/ Questions/Q 6617729
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T20:44:21+00:00

Alright. I have this contest signup form with 3 fields that inserts it into

  • 0

Alright. I have this contest signup form with 3 fields that inserts it into a mySQL DB… as well as emailing it. I am adding this code that will check the form for the users current IP, and disallow the submission if it exists.

This seems to be executing without error now… but it allows multiple submissions from the same IP. Anything jump out as incorrect?

FULL CODE BELOW:

<?php //include the connection file

require_once('connection.php');


function sanitize($value, $type)
{
$value = (!get_magic_quotes_gpc()) ? addslashes($value) : $value;

switch ($type) {
case "text":
$value = ($value != "") ? "'" . $value . "'" : "NULL";
break;
case "long":
case "int":
$value = ($value != "") ? intval($value) : "NULL";
break;
case "double":
  $value = ($value != "") ? "'" . doubleval($value) . "'" : "NULL";
  break;
case "date":
  $value = ($value != "") ? "'" . $value . "'" : "NULL";
  break;
}

return $value;
}

//save the data on the DB and send the email

if(isset($_POST['action']) && $_POST['action'] == 'submitform')
{
//recieve the variables

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$ip = gethostbyname($_SERVER['REMOTE_ADDR']);

mysql_select_db($database, $connection);
$QUERY = "SELECT COUNT(IP) AS `count` FROM `contest` WHERE IP = 'value'";
$RESULT = mysql_query($QUERY) or die(mysql_error());

// Read the firs row
$row = mysql_fetch_assoc($RESULT);

// Check how many rows MySQL counted
if($row['count'] > 0) {
echo "value already exists";
}
else {

//save the data on the DB

mysql_select_db($database, $connection);

$insert_query = sprintf("INSERT INTO contest (First_Name, Last_Name, Email_Address, Date, ip) VALUES (%s, %s, %s, NOW(), %s)",
                        sanitize($firstname, "text"),
                        sanitize($lastname, "text"),
                        sanitize($email, "text"),
                        sanitize($ip, "text"));

$result = mysql_query($insert_query, $connection) or die(mysql_error());

if($result)
{
    //send the email

    $to = "EMAIL ADDY";
    $subject = "SUBJECT LINE";

    //headers and subject
    $headers  = "MIME-Version: 1.0rn";
    $headers .= "Content-type: text/html; charset=iso-8859-1rn";
    $headers .= "From: ".$firstname." <".$email.">rn";

    $body = "New contact
";
    $body .= "First Name: ".$firstname."
";
    $body .= "Last Name: ".$lastname."
";
    $body .= "Email: ".$email."
";
    $body .= "IP: ".$ip."
";

    mail($to, $subject, $body, $headers);

    //ok message

    header ('Location: thanks.html');
    exit ();
}
}
}

?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to use backticks instead of single quotes to escape table names/reserved words:

    $QUERY = "SELECT COUNT(IP) AS `count` FROM `contest` WHERE IP = 'value'";

    Also if your IP column is string you need to enclose the value for that in single quotes 🙂

    • 0