is this safe

Danny620 · September 7, 2009

hi i have just coded this piece of code just wounded if i took all the right ways of security

i have made a hidden field called profile and when submitted if that does not == pass then the form will fail this stops editing and xss to that buttion also i have made m = 1 and f = 2 which means if they get edited in anyway the also fail the test if they are not numeric nick name has been passed thought htmlentities then mysqli_real_escape_string just want some experienced programmer to check over and see if it can be hackable and to make sure if i can add any other security to the code

if($_POST[profile] == 'PASS'){

	$g = false;

	if(is_numeric($_POST[gender])){

		$g = $_POST[gender];

		}

	$nickname = htmlentities($_POST[nickname]);

	$gender = mysqli_real_escape_string($dbc,$g);
	$nickname = mysqli_real_escape_string($dbc,$nickname);



	$q = "UPDATE test SET gender='$gender', nickname='$nickname' WHERE id='$user[id]'";
	$r = mysqli_query($dbc,$q);
	if (mysqli_affected_rows($dbc) == 1) { // If it ran OK.

		// Send an email, if desired.
		echo '<h3>Your Profile has been changed.</h3>';
		mysqli_close($dbc); // Close the database connection.
		$url = 'settings.php'; // Define the URL:
		ob_end_clean(); // Delete the buffer.
		header("Location: $url");
		exit(); // Quit the script.

	}

}

bundyxc · September 7, 2009

Please post the HTML for the form.

TeNDoLLA · September 7, 2009

Looks secure but you should use single quotes around literal array indexes like $user['id'].

Sign In

is this safe

Recommended Posts

Danny620

Link to comment

Share on other sites

bundyxc

Link to comment

Share on other sites

TeNDoLLA

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information