Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
01-08-2008, 03:25 PM #1
- Join Date
- Apr 2005
- Thanked 0 Times in 0 Posts
Simple form to Database...need security help
Here is a VERY basic script that I've written and confirmed that it's storing information into the database. This information is coming from a Flash submission form.
$connection = mysql_connect("localhost", "user", "pass");
die("Database connection failed: ");
$db_select = mysql_select_db("database", $connection);
die("Database Selection failed: ");
$firstname = $_POST['member_firstname'];
$lastname = $_POST['member_lastname'];
$address = $_POST['member_address'];
$city = $_POST['member_city'];
$state = $_POST['member_state'];
$zip = $_POST['member_zip'];
$country = $_POST['member_country'];
$age = $_POST['member_age'];
$gender = $_POST['member_gender'];
$notes = $_POST['member_notes'];
$email = $_POST['member_email'];
$sql = "INSERT INTO table
(fname, lname, address, city, state, zip, email, country, age, gender, notes) VALUES
('$firstname', '$lastname', '$address', '$city', '$state', '$zip', '$email', '$country', '$age', '$gender', '$notes')";
$result = mysql_query($sql) or die(mysql_error());
echo 'query error: ' . mysql_error();
01-08-2008, 06:21 PM #2
- Join Date
- Sep 2002
- Saskatoon, Saskatchewan
- Thanked 2,662 Times in 2,631 Posts
Error handling for one, send them back if the information isn't valid (string for name, etc).
mysql has a clean function, mysql_real_escape_string, all of your input should be filtered through that.
Offhand, thats all I can think of.
Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)PHP Code:
header('HTTP/1.1 420 Enhance Your Calm');
01-09-2008, 03:53 PM #3
- Join Date
- Dec 2007
- Thanked 2 Times in 2 Posts
mysql_real_escape_string is essential for database security for this sort of script. If you are also sending any user submitted information in an email message, you will have to guard against mail header injection and automated submissions as well. There are a number of techniques used to do that.
First step is to read up on "PHP mail injection" and protecting forms from bots and spammers by using captchas and other techniques.
Deliver yesterday, code today, think tomorrow.