timecatcher Posted February 19, 2009 Share Posted February 19, 2009 Hey everyone. Im applying to help out at a website that is in need of another PHP coder just to do a few small jobs and since im wanting to continue learning PHP and enhance my skills I've offerd but the guy wants to know if my security and data handling is good so he said to make a script to show this so I have. Its not got all the in's and out's so I haven't written in all the forms ect as theres no need for this its just so he knows I understand where im going and wont ruin the website with poor security. So im wondering if I can show you guys now so you can tell me if my code is any good and if not what I can do to improve it and please don't say indents im trying to work on it but im concentrating on learning the language first. <? if(isset ect) echo "<form action='$PHP_SELF' Method='post'> <input type='text' name='pet'> <input type='submit' value='Add' name='Add'> </form>" ; elseif(isset$_POST('$Add') { $Pet = mysql_real_escape_string($_POST('pet')) ; mysql_query('INSERT INTO `db` (pet) values($pet)') ; } //UPDATE/EDIT EXAMPLE NOW: //input pet name wanting to update in text field. //if isset submit set the pet name to $petname... $query = mysql_query('SELECT * FROM `pet` WHERE '.$petname.' == `petname`') ; if(mysql_num_rows($query) > 0) { //echo out the form with the pet name placed into the text box or just leave blank and allow for edit. //update the table with the new information about the pet. mysql_query('UPDATE pet SET ... WHERE ... ect..') ; //Ofcourse all the escape string and stuff is put in there. I know how to do a check for admin aswell if you tell me what the ranks are ect. Shouln't be too difficult but its late now so im not posting it here. } else { echo "Sorry that pet, user, item doesn't exist, please enter a different one." ; echo "The form gets placed here again and the script is ran again." ; //I hope this is right and secure enough for you as I tried to make it so. Please tell me on MSN if anything needs tweaking or if you would do things a different way. Thanks . } ?> Thanks, Timecatcher. Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted February 19, 2009 Share Posted February 19, 2009 You should validate that the incoming data is of the right type. I can input 1234 as a pet name, and your code won't stop me. It's not a security issue, per se, but it's something you should be aware of. Quote Link to comment Share on other sites More sharing options...
timecatcher Posted February 19, 2009 Author Share Posted February 19, 2009 Oh hehe I need to farmilarise myself with Validating haven't tried much with that alright then, but other than that security wise nothing wrong there? Not to mention it will be only available to the admins ect, but I just wanted to make sure. Thanks for your help. Timecatcher. Quote Link to comment Share on other sites More sharing options...
milesap Posted February 19, 2009 Share Posted February 19, 2009 This script is still vulnerable to XSS attacks (Cross site scripting) I believe. mysql_real_escape_string does not convert html and javascript characters and therefore a javascript snipplet could be added into the petname field. Quote Link to comment Share on other sites More sharing options...
timecatcher Posted February 20, 2009 Author Share Posted February 20, 2009 Yeah didn't think of that alright well does anybody know how I can protect against this aswell then please? I really want to learn PHP in a way which means my scripts will be safe for the people using them thats why im asking. Thanks again for your help its brilliant as usual. Timecatcher. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.