...

View Full Version : securing form submitting to database



runnerjp
05-17-2008, 03:55 PM
ok i was going to come back to this later BUT i cought someone snooping around my members area of the website im building so have had to tighten up security (membersarea not open yer!) so i have this upload script where user types in there data and uploads for the profile...but how can i make it nice and secure??

first i will just say on my form i display users data via this method

Code:


<?php $qProfile = "SELECT * FROM users WHERE id='$id' ";
$rsProfile = mysql_query($qProfile);
$row = mysql_fetch_array($rsProfile);
extract($row);
$dob = ($dob);
$about_me = ($about_me);
$events = ($events);
$first_name = ($first_name);
$last_name = ($last_name);?><title>Update Image</title>
<?
?>
<form id="FormName" action="include/updated.php" method="post" name="FormName">
<table width="523" border="0" align="center" cellpadding="0" cellspacing="2">
<tr><td width="150"><div align="right">
<label for="dob">Gender</label>
</div>
</td>
<td colspan="2"><select class="input" id="gender" name="gender">
<option value="Male" <?php if($gender == 'Male') echo 'selected'; ?>>Male</option>
<option value="Female" <?php if($gender == 'Female') echo 'selected'; ?>>Female</option>
</select></td>
</tr>
<tr><td width="150"><div align="right">
<label for="about_me">About me</label>
</div>
</td>
<td colspan="2">
<textarea class="input" id="about_me" name="about_me" rows="4" cols="40"><?php echo $about_me ?></textarea></td>
</tr>
<tr><td width="150"><div align="right">
<label for="events">My events and pb's</label>
</div>
</td>
<td colspan="2">
<input class="input" id="events" name="events" type="text" size="25" value="<?php echo $events ?>" maxlength="255"></td>
</tr>
<tr><td width="150"><div align="right">
<label for="first_name">First name</label>
</div>
</td>
<td colspan="2">
<input class="input" id="first_name" name="first_name" type="text" size="25" value="<?php echo $first_name ?>" maxlength="255"></td>
</tr>
<tr><td width="150"><div align="right">
<label for="last_name">Last name</label>
</div>
</td>
<td colspan="2">
<input class="input" id="last_name" name="last_name" type="text" size="25" value="<?php echo $last_name ?>" maxlength="255"></td>
</tr>
<tr>
</select>


</p></td>
</tr>
<tr>
<td width="150"></td>
<td width="112"><input name="submitButtonName" type="submit" class="submit-btn" value="">
<input type="hidden" name="id" value="<?php echo $id ?>"></td>
<td width="253">&nbsp;</td>
</tr>
</table>
</form>


best check this is safe lol you never know

now the upload part

Code:


<?php $id = $_POST['id'];
$about_me = $_POST['about_me'];
$events = $_POST['events'];
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$gender = $_POST['gender'];
$birthyear = $_POST['birthyear'];
$birthmonth = $_POST['birthmonth'];
$birthday = $_POST['birthday'];
$dob = $birthday.'-'.$birthmonth.'-'.$birthyear;


$update = "UPDATE users SET dob='$dob', about_me = '$about_me', events = '$events', first_name = '$first_name', gender = '$gender', last_name = '$last_name' WHERE id='$id' ";
$rsUpdate = mysql_query($update);
if ($rsUpdate)
{
echo "Update successful.";
}
?>


so can it be secured??



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum