An RSVP PHP Script

I've been terrible about posting on here and I just noticed after all this time that my blog doesn't contain any web-based scripts. I am getting married this fall, so I built a website with a RSVP PHP form for our guests. I'd rather have all our guests in a centralized location than a group of acceptance letters stored somewhere, where I may or may not have an accurate count when the wedding date gets closer. First, we'll need a form. I have mine located in the rsvp.php page:
<form action="RSVPInsert.php" method="post">
 <tr><td align="right">Full name:</td><td><input type="text" name="fullname" value="<?php echo($_POST[fullname]); ?>"><br></td></tr>
 <tr><td align="right">Email:</td><td><input type="text" name="email" value="<?php echo($_POST[email]); ?>"><br></td></tr>
 <tr><td align="right">Phone: </td><td><input type="text" name="phone" value="<?php echo($_POST[phone]); ?>"><br></td></tr>

<tr><td align="right">Can you attend? </td>
 <td><select name="attend">
 <option value="yes" name="attend">Yes</option>
 <option value="no" name="attend">No</option>
 </select><br></td></tr>

<tr><td align="right">How many guests?</td>
 <td><select name="numguests">
 <option value="0" name="numguests">0</option>
 <option value="1" name="numguests">1</option>
 <option value="2" name="numguests">2</option>
 <option value="3" name="numguests">3</option>
 <option value="4" name="numguests">4</option>
 <option value="5" name="numguests">5</option>
 </select><br></td></tr>

<tr><td align="right">If you have guests, <br>please enter their names:<br></td>
 <td><input type="text" name="guestnames" value="<?php echo($_POST[guestnames]); ?>"><br></td></tr>
 <tr><td align="right">Suggest a song: </td><td><input type="text" name="song" value="<?php echo($_POST[song]); ?>"><br></td></tr>
 <tr><td align="right">A message for Ray and Candice?<br></td>
 <td><textarea name="message" value="<?php echo($_POST[message]); ?>"></textarea></td></tr>
</table>

<input type="submit" name="submit">
</form>
I threw everything in a table format so it doesn't look off-centered and weird. I also have aRSVPInsert.php that will capture all of the submitted information:
<?php

// ** MySQL settings - You can get this info from your web host ** //
 define('DB_NAME', 'dbname'); // The name of the database
 define('DB_USER', 'user'); // Your MySQL username
 define('DB_PASSWORD', 'password'); // ...and password
 define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value

// Connect to SQL
 $conn = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD) or die('Error connecting to mysql');
 mysql_select_db(DB_NAME) or die('Unable to connect. Try again later. <BR> <button onclick="goBack()">Go Back</button>');
 $email = mysql_real_escape_string($_POST[email]);

// Validate name
 if (!preg_match("/^[a-zA-Z ]*$/",mysql_real_escape_string($_POST[fullname]))) {
 echo('Your name is invalid. Please go back and try again. <BR> <button onclick="goBack()">Go Back</button>');
 exit;
 }

//Validate email address
 if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
 echo('Your email is invalid. Please go back and try again. <BR> <button onclick="goBack()">Go Back</button>');
 exit;
 }

// Validate phone number
 $justNums = preg_replace("/[^0-9]/", '', mysql_real_escape_string($_POST[phone]));

if (strlen($justNums) == 10) { $isPhoneNum = true;}

if ($isPhoneNum == false) {
 echo('Your phone number is invalid. Please go back and try again. <BR> <button onclick="goBack()">Go Back</button>');
 exit;
 }

// Check for pre-existing email
 $sql = "SELECT email FROM rsvp WHERE email='$email'";
 $result = mysql_query($sql);

// If email on file, then update with form. Otherwise, create new entry
 $row = mysql_fetch_array($result);
 if($row == 0)
 {
 NewData();
 } else
 {
 UpdateData();
 }


 mysql_close();
?>
The above code reviews the data getting submitted. By using mysql_real_escape_string, I can prevent malicious attacks against the database through MySQL injection. Essentially, it's ensuring that no one uses the two dashes "--" or other signs like the equal sign to discover how the query is working. Instead, it will display the actual symbol. I also have various checks going on: It verifies the email is legitimate (with the @ symbol and a domain name), it verifies the phone number is a 10-digit number even if they use braces or dashes, and I also verify whether or not the name is realistic (no numbers). I have some other webpage formatting after this section, and in my PHP footer section I have the following code:
<?php

function UpdateData(){

// Define variables
 $name = mysql_real_escape_string($_POST[fullname]);
 $email = mysql_real_escape_string($_POST[email]);
 $phone = mysql_real_escape_string($_POST[phone]);
 $guests = mysql_real_escape_string($_POST[guestnames]);
 $song = mysql_real_escape_string($_POST[song]);
 $message = mysql_real_escape_string($_POST[message]);

$sql="UPDATE rsvp SET fname='$name', phone='$phone', attend='$_POST[attend]', numguests='$_POST[numguests]', guests='$guests', song='$song', message='$message' WHERE email='$email'";

if (!mysql_query($sql))
 {
 die('Error: ' . mysql_error());

}
 echo("Your RSVP has been updated!<br><br> - Ray & Candice");

return;
 }

function NewData(){

// Define variables
 $name = mysql_real_escape_string($_POST[fullname]);
 $email = mysql_real_escape_string($_POST[email]);
 $phone = mysql_real_escape_string($_POST[phone]);
 $guests = mysql_real_escape_string($_POST[guestnames]);
 $song = mysql_real_escape_string($_POST[song]);
 $message = mysql_real_escape_string($_POST[message]);

$sql = "INSERT INTO rsvp (fname, email, phone, attend, numguests, guests, song, message)
 VALUES('$name', '$email', '$phone', '$_POST[attend]', '$_POST[numguests]', '$guests','$song','$message')";

if (!mysql_query($sql))
 {
 die('Error: ' . mysql_error());

}

$attend = $_POST[attend];
 if($attend == "yes")
 {

echo("Thank you! We look forward to seeing you!<br> If you need to many any changes, just use the same e-mail address and fill out the form again.<br><br> - Ray & Candice");
 }else {

echo("Sorry you can't attend. We hope to see you soon!<br><br> - Ray & Candice");
 }
 
 return;
 }

?>
In the If statement of the first batch of code, it's looking for an email address. If an email address is in use, then their entry in the database is updated. If an email address hasn't been used, then it adds a new entry. Since the number of guests attending and whether or not a person is attending the wedding are pre-filled, I determined there was no purpose behind the mysqL_real_escape_string for these two scenarios. Since the user cannot manipulate them, I can use the values directly from the $_POST[] command. Finally, to get this working you need to create a table structure in MySQL:
  • fname (text)
  • email (text)
  • phone (text)
  • attend (text)
  • numguests (int)
  • guests (text)
  • song (text)
  • message (text)
Set email as unique identifier. This is important because the entire table is based off this field. All columns but numguests should be text with a maximum character count of 100. I can't imagine too many people having a name more than 100 characters. The numguests column should be an integer. That just about covers it!