Farmgirl Posted September 23, 2009 Share Posted September 23, 2009 I've just finished a little project which I started in order to help me understand PHP & MySQL better. It's been a steep learning curve, but I feel now that I have grasped the basics. So with this in mind, please feel free to comment on my efforts. T.P.Org.Uk - Tractor Pulling Database Quote Link to comment Share on other sites More sharing options...
Adam Posted September 24, 2009 Share Posted September 24, 2009 Do you mean to critique the functionality (better suited to the BETA test forums) or the look of it? Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted September 24, 2009 Share Posted September 24, 2009 Be sure to santitize the input to any form before using in code. Put the following into your search field and see what happens (won't do any damage): // put this into your search box <script language="javascript">alert('xss attack');</script> Quote Link to comment Share on other sites More sharing options...
Farmgirl Posted September 24, 2009 Author Share Posted September 24, 2009 Be sure to santitize the input to any form before using in code. Put the following into your search field and see what happens (won't do any damage): // put this into your search box <script language="javascript">alert('xss attack');</script> Thanks for your input Neil, but how do I 'sanitize' the input? It's not an area I am familiar with. If you could point me in the right direction, I would be most grateful. Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted September 24, 2009 Share Posted September 24, 2009 Data from a form post or url parameters is held in the $_POST or $_GET array (in the case of a form decided by the form method <form method="post>) You should clean this data prior to placing in any function or database query. Some simple functions: <?php // data from form is in post array $searchString = $_POST['searchterm']; // check that the value is not balnk if(strlen(trim($searchString))) { // remove any injected html $searchString = strip_tags(trim($searchString)); // perform search query and escape variable $result = mysql_query("SELECT * FROM tablename WHERE x LIKE '".mysql_real_escape_string($searchString)."%'"); print "Your search for: ".$searchString." returned ".mysql_num_rows($searchString)." results"; } else { print "Please enter a valid search term"; } ?> Quote Link to comment Share on other sites More sharing options...
Farmgirl Posted September 24, 2009 Author Share Posted September 24, 2009 Thank for that! I'll try it out. Cheers Quote Link to comment Share on other sites More sharing options...
Farmgirl Posted October 4, 2009 Author Share Posted October 4, 2009 Well I think I've FIXED the problems...at least I HOPE I have! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.