Customer Product Key Retrieval Request Form PHP Script
The scripts in the two link groups below are Customer Apps for Dealing with Product Keys and Email Addresses, and Administrator Apps for Dealing with Customer Records.
In our ecommerce world, products are sold by many different methods. Amongst these are getting out demos in various ways and when people try them, some of them are very pleased and they buy what's called a key. This unlocks the full feature set of the product when they enter it. There is a need to give the product users limited access to perform a few functions such as changing their emails, retrieving their keys from our database when they misplace them, etc. There is also a need for administrative functions to manage customer records. One needs to sort them, edit them, delete them, add them, view them, search them, register to be an administrator, login as administrator, etc.
If an ecommerce company does not have any of the applications below, it is forced to perform them the 20th century ways—by hand. This means paying for people to answer phones, write emails, keep paper files of customers, etc. The 21st century way is to let software perform these tasks, let websites and videos explain the product features, and let ecommerce close the sale and send the product.
Feel free to use these free Customer Records Management scripts in your business. Note: we know they work well for us (they are well tested), but we assume no liability for how they work in your situation. Similarly, we added lots of security measures such as extensive input filtering, but we make no claims and assume no liability for how securely they work in your situation.
The best security measure to take when using the administrative part of a system like this (meaning the Administrator Apps for Dealing with Customer Records, not the Customer Apps for Dealing with Product Keys and Email Addresses in which category the script below resides) is do not have any links ANYWHERE that link to the URLs of any of the admin files on the server, so neither hackers nor Google finds them. Then use the admin CMS yourself but do not even let your momma use it. Don't even save the link to the admin login as a Favorite, just to be secure. Just stick the login username and password in Roboform and make them impossible to guess. Then use Roboform to logon. The script below, and the other Customer Apps, are included online and linked to as part of the product web pages that make life easier for everyone. Their security is mainly handled via extreme input filtering. The Admin Apps are hidden, unlinked to, and well protected with security measures, password hashes and salts, etc.
This script is called Product-Key-Retrieval-Request.php
Customer Apps for Dealing with Product Keys and Email Addresses
- Customer Email Address Change Form
- Customer Email Address Change Form PHP Script
- Customer Product Key Retrieval Request Form
- Customer Product Key Retrieval Request Form PHP Script
- Customer Form — We Manually Search for Your Key If You Lost Your Key During the Week You Ordered
- Customer Form — We Manually Search for Your Key If You Lost Your Key During the Week You Ordered PHP Script
- Customer Form — We Manually Search for Your Key
- Customer Form — We Manually Search for Your Key PHP Script
Administrator Apps for Dealing with Customer Records
- Customer Records Management PHP Script
- Sort Customer Records by Name PHP Script
- Sort Customer Records by Email PHP Script
- Add Customer Records PHP Script
- Delete Customer Records PHP Script
- Edit Customer Records PHP Script
- View Customer Records PHP Script
- Login to Customer Records Management PHP Script
- Logout of Customer Records Management PHP Script
- Register with Captcha to Administer Customer Records PHP Script
- Register with Captcha to Administer Customer Records PHP Captcha Script
- Check ID for Customer Records Management PHP Script
- Display Emails and Names (for spreadsheet use) PHP Script
The form action in Customer Product Key Retrieval Request Form is the script on the page below: Product-Key-Retrieval-Request.php. This script processes the data which the user enters in the form on this page. Note that in order to get a product key emailed to them, the users must enter not only the email address, but also their last name. The PHP script will ensure that this minimum amount of data gets entered. If it does not, or if the data is faulty, the user will get a message and no key retrieval will occur.
If a user is not sure of the email address that was used when the product key was purchased, the user may try several emails, separated by commas.
First we include config.php so our connections to our MySQL database are set up and secure. Then we define a regular expression pattern ($pattern1) that will allow the characters found in last names and ensure there are no nasties in input. The replacement string ensures that all bad characters are dumped. Good data MUST be found in last name and email address or the key retrieval will not happen. And of course all emails in user input must validate and one must be found in the MySQL database.
The "if" conditional ensures the last name has been entered and that it is 2 characters or more long, and the preg_replace() function uses the pattern to ensure the POSTed last name value is filtered. We added two extra lines of replacing to get rid of two hyphens in a row, since that can be a security problem, and, believe it or not, it has to be run twice to always get all the double hyphens. The mysql_real_escape_string() function is used on the data before we dare to get it near our MySQL SELECT statement, since it securely escapes anything scary. We strip any tags with strip_tags() and get rid of extra spaces with trim().
Then we get to the emails—which may be a comma-separated list. We use the str_replace() function to dump all quotes or commas in $email. Next, just to be cute we put quotes back in $email in such a way that all email addresses are now surrounded by single quotes as well as separated by commas. MySQL expects single quotes, and it does not matter if they are put into the MySQL statement or if they are stuck into the PHP variable you use for the MySQL statement, which uses a WHERE clause to get our SELECT to work right. The single quotes will not work right for the preg_match() function, however, so when we explode the $email variable into an array so that each email can be validated individually, we dump these quotes from each array element.
The preg_match() function uses a regular expression that's a standard email filter pattern. Unvalidated emails do not even let the db get searched—the user who inputs one or more bad emails is sent back to the form. Who knows what the user stuck in the bad email? We won't be finding out the hard way, security-wise!
Note that in the conditional for doing the SELECT to find out if the user's data matches a record in the MySQL database, the "if" includes a criterion that makes sure the last name was entered.
The SELECT will occur as long as the required criteria are met: good data MUST be found in the last name and the emails, or the key retrieval will not happen. And of course emails must validate and at least one email address must be found in the MySQL database. Of course, just because the right input fields were filled does not mean that the SELECT will determine that the user is indeed in the db so his key should be sent. It has to find a record, with the data entered in the form input fields, in the db.
We use the LIKE keyword in the SELECT statement for the email and do it also for the last name, which allows the name and email to be found even though either will only be a part of the data in the name and email fields in the database—which may contain several entries separated by commas. We use the WHERE clause to get our SELECT to work right. This allows the email which the user enters to be found even if the user's input contains more than one email—with commas to separate them. Think of the LIKE keyword as saying MySQL will look through your inputted comma-separated email list for a match—just one will do fine. But the looking will be done by using the array of emails from the user. So we go through the array, grabbing one email at a time and seeing if it is in the email field.
When we do not find a matching name and email, we use the continue statement to skip one loop iteration. If we find a match we increment the $flag and get the record's data, then use the break statement to jump out of the for loop.
In a tiny percentage of cases, the user-entered $email variable won't work because the user cannot recall the email he used when getting the product. Then the user needs to contact your company with the Customer Form — We Manually Search for Your Key. The user may buy updates after buying the original product and use a different email in the process, which the administrator is smart to keep track of by adding it to the user's record. So we add a link to have the company search for the record. We like the user interface convenience of allowing an inputted comma-separated email list since people rarely remember which email they used when they ordered a product.
Now we must send an email to the email address in the database. We do so using the standard form of email sending. You'll want to change words like yoursite.com, you@yoursite.com, Your Company, and Product to the words that apply in your situation. Once the emails are sent, we present links for navigating which the user will find convenient. Alter links as needed. If the user data was insufficient or not found, the user gets a message that tells him to try other email addresses. Note that if the db email field is one of those rare ones with more than one email address, the email will get sent to them all (i.e., w@w.com,q@q.info).
The reason the key for the product will not be conveniently displayed on the screen, but instead emailed to the user's email address, is safety. Just because someone knows the email address of a person who he knows owns the Product does not mean we wish to show a key to him onscreen. By emailing it to what we know is a legitimate email address of a legitimate customer, no harm is done if he gets his key again even though he did not request it.
The links at the end of the script may need tweaking due to the word Product. It is unlikely that is the name of your product! (We hope.) Additionally, the field names of the keys: product4key and product5key may not fit your needs—you may have less than or more than 2, and require different names.
This script is called Product-Key-Retrieval-Request.php
<?php
//Product-Key-Retrieval-Request.php
include_once"config.php";
$pattern1 = '/[^A-Za-z0-9 \\-]/';
$replacement = '';
$N=$_POST['Last'];
if(isset($N) && strlen($N)>1){
$N=strip_tags($N);
$N=trim($N);
$N=preg_replace($pattern1, $replacement, $N);
$N=preg_replace('/\-\-/', $replacement, $N);
$N=preg_replace('/\-\-/', $replacement, $N);
$N=mysql_real_escape_string($N);
$email = $_POST['email'];
$email = stripslashes($email);
$email = trim($email);
$email = str_replace("'","",$email);
$email = str_replace(" ","",$email);
$email = str_replace('"','',$email);
$email = str_replace(",","','",$email);
$email = "'".$email."'";
$j=explode(',',$email);
for ($i=0; $i<count($j); $i++){$j[$i]=str_replace("'","",$j[$i]);
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$j[$i])) {
echo '<script language="javascript">alert("You submitted an invalid email address."); window.location = "Product-Key-Retrieval-Request-Form.html"; </script>';}}
}
if(isset($N)){
$flag=0;
for ($i=0; $i<count($j); $i++){
$v=$j[$i];
$check_user_data = mysql_query("SELECT * FROM product WHERE name LIKE '%$N%' AND email LIKE '%$v%'") or die(mysql_error());
$rc = mysql_num_rows($check_user_data);
if ($rc==0){continue;}else
{$flag++;
$row=mysql_fetch_assoc($check_user_data);
$e=$row['email'];
$k4=$row['product4key'];
$k5=$row['product5key'];
$name=$row['name'];
break;
}}}
if ($flag>0){echo "Your key information has been emailed to ".$name."'s email of record.<BR><BR>
You MUST white list our email address (you@yoursite.com) before you submit this form, as we can only send the email. You need to be responsible to set things up so you can receive it. (Check spam and junk folders and contact your server administrator if you have not received the email within a few minutes.)<BR><BR>
If you no longer have access to the email address you originally ordered with, you will have to change your email address (see link below) by providing old and new contact and other information. This will update the database and then you can return to this page and fill in the form to get your key information.<BR><BR>";
$to = $e;
$subject = "Your Product Key(s)";
$message = "Dear ".$name."\n\nWe have received a request for your Product Keys/Pin Codes.\n\nProduct\n\nVersion 4 keys: ".$k4."\n\nVersion 5 keys: ".$k5."\n\nIf you did NOT submit this request, please contact us immediately by replying to this email.\n\nIf you wish to upgrade, please go to our upgrade page.\n\nRegards,\n\nyoursite.com\n\na website of Your Company";
$headers = "From: you@yoursite.com";
$mail_sent = mail($to, $subject, $message, $headers);
}else{
echo 'We are unable to find your data with the name and email address you provided.<BR>If you have ordered more than once using different names or email addresses, you may try the form again using additional email addresses.<BR>You may contact us (see link below) and we will do a manual search for your key(s).<BR><BR>';}
mysql_close();
?>
<a HREF="Product-Key-Retrieval-Request-Form.html">Try Product Key Retrieval Request again</a><BR>
<a HREF="we-manually-search-for-keys.html">manual search for your key(s)</a><BR>
<a HREF="email-address-change-form.html">email address change form</a><BR>
<a HREF="lost-their-key-before-Monday.html">I lost my key during the week I ordered</a><BR>
<a HREF="Product.html">Product</a><BR><BR>