View Full Version : Simple form to Database...need security help

01-08-2008, 04:25 PM
Here is a VERY basic script that I've written and confirmed that it's storing information into the database. This information is coming from a Flash submission form.


$connection = mysql_connect("localhost", "user", "pass");
if (!$connection){
die("Database connection failed: ");
$db_select = mysql_select_db("database", $connection);
if (!$db_select){
die("Database Selection failed: ");

$firstname = $_POST['member_firstname'];
$lastname = $_POST['member_lastname'];
$address = $_POST['member_address'];
$city = $_POST['member_city'];
$state = $_POST['member_state'];
$zip = $_POST['member_zip'];
$country = $_POST['member_country'];
$age = $_POST['member_age'];
$gender = $_POST['member_gender'];
$notes = $_POST['member_notes'];
$email = $_POST['member_email'];

$sql = "INSERT INTO table
(fname, lname, address, city, state, zip, email, country, age, gender, notes) VALUES
('$firstname', '$lastname', '$address', '$city', '$state', '$zip', '$email', '$country', '$age', '$gender', '$notes')";
$result = mysql_query($sql) or die(mysql_error());
if (!$result){
echo 'query error: ' . mysql_error();


this is in a file called sendmail.php and i'm wondering what I can do to make it a little more secure to prevent potential problems. Thanks for any help :)

01-08-2008, 07:21 PM
Error handling for one, send them back if the information isn't valid (string for name, etc).
mysql has a clean function, mysql_real_escape_string, all of your input should be filtered through that.
Offhand, thats all I can think of.

01-09-2008, 04:53 PM
mysql_real_escape_string is essential for database security for this sort of script. If you are also sending any user submitted information in an email message, you will have to guard against mail header injection and automated submissions as well. There are a number of techniques used to do that.

First step is to read up on "PHP mail injection" and protecting forms from bots and spammers by using captchas and other techniques.