Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Apr 2005
    Posts
    24
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Simple form to Database...need security help

    Here is a VERY basic script that I've written and confirmed that it's storing information into the database. This information is coming from a Flash submission form.

    PHP Code:
    <?php

        $connection 
    mysql_connect("localhost""user""pass");
        if (!
    $connection){
            die(
    "Database connection failed: ");
            }
        
    $db_select mysql_select_db("database"$connection);
        if (!
    $db_select){
            die(
    "Database Selection failed: ");
        }


    $firstname $_POST['member_firstname'];
    $lastname $_POST['member_lastname'];
    $address $_POST['member_address'];
    $city $_POST['member_city'];
    $state $_POST['member_state'];
    $zip $_POST['member_zip'];
    $country $_POST['member_country'];
    $age $_POST['member_age'];
    $gender $_POST['member_gender'];
    $notes $_POST['member_notes'];
    $email $_POST['member_email'];

     
        
    $sql "INSERT INTO table 
        (fname, lname, address, city, state, zip, email, country, age, gender, notes) VALUES 
        ('$firstname', '$lastname', '$address', '$city', '$state', '$zip', '$email', '$country', '$age', '$gender', '$notes')"
    ;
        
    $result mysql_query($sql) or die(mysql_error());
        if (!
    $result){
        echo 
    'query error: ' mysql_error();
        }


    ?>
    this is in a file called sendmail.php and i'm wondering what I can do to make it a little more secure to prevent potential problems. Thanks for any help

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Error handling for one, send them back if the information isn't valid (string for name, etc).
    mysql has a clean function, mysql_real_escape_string, all of your input should be filtered through that.
    Offhand, thats all I can think of.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #3
    Regular Coder
    Join Date
    Dec 2007
    Location
    Nebraska
    Posts
    113
    Thanks
    0
    Thanked 2 Times in 2 Posts
    mysql_real_escape_string is essential for database security for this sort of script. If you are also sending any user submitted information in an email message, you will have to guard against mail header injection and automated submissions as well. There are a number of techniques used to do that.

    First step is to read up on "PHP mail injection" and protecting forms from bots and spammers by using captchas and other techniques.
    Deliver yesterday, code today, think tomorrow.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •