making upload script safe

[runnerjp]

ok i was going to come back to this later BUT i cought someone snooping around my members area of the website im building so have had to tighten up security (membersarea not open yer!) so i have this upload script where user types in there data and uploads for the profile...but how can i make it nice and secure??

 

first i will just say on my form i display users data via this method

 

<?php $qProfile = "SELECT * FROM users WHERE id='$id'  ";
$rsProfile = mysql_query($qProfile);
$row = mysql_fetch_array($rsProfile);
extract($row);
$dob = ($dob);
$about_me = ($about_me);
$events = ($events);
$first_name = ($first_name);
$last_name = ($last_name);?><title>Update Image</title>
<? 
?>
<form id="FormName" action="include/updated.php" method="post" name="FormName">
<table width="523" border="0" align="center" cellpadding="0" cellspacing="2">
<tr><td width="150"><div align="right">
<label for="dob">Gender</label>
</div>
</td>
<td colspan="2"><select class="input" id="gender" name="gender"> 
<option value="Male" <?php if($gender == 'Male') echo 'selected'; ?>>Male</option>
<option value="Female"  <?php if($gender == 'Female') echo 'selected'; ?>>Female</option>
</select></td>
</tr>
<tr><td width="150"><div align="right">
<label for="about_me">About me</label>
</div>
</td>
<td colspan="2">
<textarea class="input" id="about_me" name="about_me" rows="4" cols="40"><?php echo $about_me ?></textarea></td>
</tr>
<tr><td width="150"><div align="right">
<label for="events">My events and pb's</label>
</div>
</td>
<td colspan="2">
<input class="input" id="events" name="events" type="text" size="25" value="<?php echo $events ?>" maxlength="255"></td>
</tr>
<tr><td width="150"><div align="right">
<label for="first_name">First name</label>
</div>
</td>
<td colspan="2">
<input class="input" id="first_name" name="first_name" type="text" size="25" value="<?php echo $first_name ?>" maxlength="255"></td>
</tr>
<tr><td width="150"><div align="right">
<label for="last_name">Last name</label>
</div>
</td>
<td colspan="2">
<input class="input" id="last_name" name="last_name" type="text" size="25" value="<?php echo $last_name ?>" maxlength="255"></td>
</tr>
<tr>
        </select>
     
        
    </p></td>
</tr>
<tr>
<td width="150"></td>
<td width="112"><input name="submitButtonName" type="submit" class="submit-btn" value="">
<input type="hidden" name="id" value="<?php echo $id ?>"></td>
<td width="253"> </td>
</tr>
</table>
</form>

 

best check this is safe lol you never know

 

now the upload part

 

<?php $id = $_POST['id'];
$about_me = $_POST['about_me'];
$events = $_POST['events'];
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$gender = $_POST['gender'];
$birthyear = $_POST['birthyear'];
$birthmonth = $_POST['birthmonth'];
$birthday = $_POST['birthday'];
$dob = $birthday.'-'.$birthmonth.'-'.$birthyear;


$update = "UPDATE users SET dob='$dob', about_me = '$about_me', events = '$events', first_name = '$first_name', gender = '$gender', last_name = '$last_name' WHERE id='$id' ";
$rsUpdate = mysql_query($update);
if ($rsUpdate)
{
echo "Update successful.";
} 
?>

 

so can it be secured??

 

[RichardRotterdam]

its not really an upload but more as a register form.

 

but anyway just use mysql_real_escape_string() to prevent sql injections and youre safe

[runnerjp]

where would i place it??

should i try stop users enterin /!"£$%^&*() or does this not really matter too much?

[RichardRotterdam]

no you just prevent injections by using the function on the post variables

 

<?php
$about_me = mysql_real_escape_string( $_POST['about_me']);
?>