Insert Into

[liamloveslearning]

Hi everybody, im trying to create a subscribe form where users can input there name and email to the database, I need to ensure everythings safe, so far I have this, I need to validate my email but im unsure, would I put the validation script on the page containing the form or should it go on this page with the insert script? Im new to this and I already feel like smashing up my computer so any advice is greatly appreciated, Ive been reading w3schools and php.net but I cant seem to take anything in..

 

<?php


$con = mysql_connect("localhost","mydb","mypassword");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("news", $con);


$sql = sprintf("INSERT INTO users (name, email) VALUES ('%s','%s')",
         mysql_real_escape_string($_POST['name']),
         mysql_real_escape_string($_POST['email']));


if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }


mysql_close($con)
?> 

[teamatomic]

Well, if you want to be average about security just use JS on the form page and let it go at that. If you are a real security nut type person then do both.

[liamloveslearning]

I did have a javascript validation on my form but I was told it wouldnt be good enough, Its not going to be a huge site or anything just something local, would you recommend just going with javascript as a solution then?

[teamatomic]

I guess it depends on how you want to handle security. Just JS would be OK I guess if you dont sell anything or have anything of value to access. If you routinely piss people off in a forum you ruin on your site then you might also want to think about server side evaluation. Either way you should clean up anything passed when it hits the server with stripslashes and htmlspecialchars

 

HTH

Teamatomic

[liamloveslearning]

thanks teamatomic, Ill have a good read on the stripslashes and html specialchars today

[liamloveslearning]

this is my final code, I think everything is secure as it ecompasses the mysql escape string as well as sprintf amongst other snippets of code mentioned on this post, could anybody verify its secure just by looking? thanks for all your help guys

 

<?php require_once('../Connections/hold.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO users (personID, email) VALUES (%s, %s)",
                       GetSQLValueString($_POST['personID'], "int"),
                       GetSQLValueString($_POST['email'], "text"));

  mysql_select_db($database_hold, $hold);
  $Result1 = mysql_query($insertSQL, $hold) or die(mysql_error());

  $insertGoTo = "insert.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}
?>