Jump to content

is my code secure?

Genesis730

By Genesis730
in PHP Coding Help

 Share

Recommended Posts

Genesis730 Member

Genesis730

Posted
Posted

Before I put this live and online, I just wanna know how secure this is and if someone could possibly hack the database. Any suggestions or mods to my code would be most helpful =]

Here it is...

 

Page 1 (Contact.php)

<?PHP
if($_POST['submit']) {

//COLLECT DATA
$studentName = mysql_real_escape_string($_POST['student_name']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$primary = mysql_real_escape_string($_POST['primary']);
$secondary = mysql_real_escape_string($_POST['secondary']);
$address = mysql_real_escape_string($_POST['address']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zip = mysql_real_escape_string($_POST['zip']);
$emailaddress = mysql_real_escape_string($_POST['emailaddress']);

$questions = mysql_real_escape_string($_POST['questions']);

$diagnostic = isset($_POST['diagnostic'])? 'Yes' : 'No';
$virus = isset($_POST['virus'])? 'Yes' : 'No';
$optimize = isset($_POST['optimize'])? 'Yes' : 'No';
$repair = isset($_POST['repair'])? 'Yes' : 'No';
$setup = isset($_POST['setup'])? 'Yes' : 'No';
$os = isset($_POST['os'])? 'Yes' : 'No';
$backup = isset($_POST['backup'])? 'Yes' : 'No';

//VALIDATION

$error = '';

if (!$firstname)
    $error = $error."<b>First Name</b><br />";
if (!$lastname)
    $error = $error."<b>Last Name</b><br />";
if (!$emailaddress)
    $error = $error."<b>Email Address</b><br />";
if (!$primary)
    $error = $error."<b>Primary Phone Number</b><br />";

if ($error!="")
{
echo "<span id='red'><font size='2'>Please fill out the following required fields:</font><br />$error</span>";
}
  else
  {
//SUBMIT DATA
mysql_query("INSERT INTO contact VALUES(`id`,'". $firstname ."','". $lastname ."','". $primary ."','". $secondary ."','". $address ."','". $city ."','". $state ."','". $zip ."','". $emailaddress ."','". $diagnostic ."','". $virus ."','". $optimize ."','". $repair ."','". $setup ."','". $os ."','". $backup ."','". $questions ."')") or die(mysql_error());
//REDIRECT
header('Location: thankyou.html');
  }
  
}
?>


<br />
<font size="5" face="Georgia, Times New Roman, Times, serif"><div align="center">Service Request Form</div></font>
<hr width="90%" /><br />

<form method="POST" action="contact.php">
<table cellspacing="0" cellpadding="0" border="0" align="center" width="80%">
  <tr>
    <td align="center">First Name<font color="#FF0000"><sup>*</sup></font><br />
    <input name="firstname" maxlength="20" value="<?PHP echo $_POST['firstname']; ?>" />
    </td>
    <td align="center">Last Name<font color="#FF0000"><sup>*</sup></font><br />
    <input name="lastname" maxlength="20" value="<?PHP echo $_POST['lastname']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
  <tr>
    <td align="center">Primary Phone<font color="#FF0000"><sup>*</sup></font><br />
    <input name="primary" maxlength="15" value="<?PHP echo $_POST['primary']; ?>" />
    </td>
    <td align="center">Secondary Phone<br />
    <input name="secondary" maxlength="15" value="<?PHP echo $_POST['secondry']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
  <tr>
    <td align="center">Address<br />
    <input name="address" maxlength="35" value="<?PHP echo $_POST['address']; ?>" />
    </td>
    <td align="center">City<br />
      <input name="city" maxlength="15" value="<?PHP echo $_POST['city']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
  <tr>
     <td align="center">State<br />
       <input name="state" value="Arizona" disabled="disabled" align="middle" />
     </td>
     <td align="center">ZIP<br />
       <input name="zip" maxlength="5" value="<?PHP echo $_POST['zip']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
  <tr>
    <td align="center" colspan="2">E-Mail Address<font color="#FF0000"><sup>*</sup></font><br />
    <input name="emailaddress" size="50%" value="<?PHP echo $_POST['emailaddress']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
</table>
<font size="2" color="#FF0000"><sup>*</sup></font> - Required</font><br /><hr width="75%" /><br />
<div align="center"><font face="Georgia, Times New Roman, Times, serif" size="5">Select Service(s)</font></div>
<br /><br />
<table cellspacing="0" cellpadding="0" border="0" width="80%" align="right">
  <tr>
    <td colspan="2" align="left"><img src="http://repairwithcare.netai.net/images/trans.png" width="25%" height="1px" /><input type="checkbox" name="diagnostic" value="diagnostic"<?php if (isset($_POST['diagnostic'])) echo ' checked="checked"'; ?> />   FREE Diagnostic
    </td>
  </tr>
  <tr>
    <td><br /></td><td><br /></td>
  </tr>
  <tr>
    <td align="left" width="50%"><input type="checkbox" name="virus" value="virus"<?php if (isset($_POST['virus'])) echo ' checked="checked"'; ?> />   Spyware Removal</td>
    <td align="left"><input type="checkbox" name="optimize" value="optimize"<?php if (isset($_POST['optimize'])) echo ' checked="checked"'; ?> />   Optimize</td>
  </tr>
  <tr>
    <td><br /></td><td><br /></td>
  </tr>
  <tr>
    <td align="left" width="50%"><input type="checkbox" name="repair" value="repair"<?php if (isset($_POST['repair'])) echo ' checked="checked"'; ?> />   Repair Parts</td>
    <td align="left"><input type="checkbox" name="setup" value="setup"<?php if (isset($_POST['setup'])) echo ' checked="checked"'; ?> />   PC Setup</td>
  </tr>
  <tr>
    <td><br /></td><td><br /></td>
  </tr>
  <tr>
    <td align="left" width="50%"><input type="checkbox" name="os" value="os"<?php if (isset($_POST['os'])) echo ' checked="checked"'; ?> />   Install Windows</td>
    <td align="left"><input type="checkbox" name="backup" value="backup"<?php if (isset($_POST['backup'])) echo ' checked="checked"'; ?> />   Data Backup/Transfer</td>
  </tr>
</table>

<br /><br /><br /><br /><br /><br /><br /><br />

<br /><hr width="75%" /><br />
<font face="Georgia, Times New Roman, Times, serif" size="5">Ask Questions<br /><font size="1">OR</font><br />Describe Computer Issues</font>
<br />
<textarea name="questions" rows="5" cols="40%"><?PHP echo $_POST['questions']; ?></textarea><br /><br />
<p align="center"><input type="submit" name="submit" value="Submit My Request" /></p>
</form>

 

Only thing I'm aware of is the order of the PHP, submit is the first only so the error message will appear in the proper place

 

 

Page 2 (Testimonials.php)

<?PHP
if($_POST['submit']) {

//COLLECT DATA
$date = $_POST['date'];
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$testimonial = mysql_real_escape_string($_POST['testimonial']);

//VALIDATION

$error = '';

if (!$firstname)
    $error = $error."<b>First Name</b><br />";
if (!$lastname)
    $error = $error."<b>Last Name</b><br />";
if (!$testimonial)
    $error = $error."<b>Testimonial</b><br />";

if ($error!="")
echo "<span id='red'><font size='2'>Please fill out the following required fields:</font><br />$error</span>";
  else
  {
//SUBMIT DATA
mysql_query("INSERT INTO testimonials VALUES(`id`,NOW(),'". $firstname ."','". $lastname ."','". $testimonial ."')") or die(mysql_error());

$date = null;
$firstname = null;
$lastname = null;
$testimonial = null;

  }
  
}
?>


<?PHP
   $res = mysql_query("SELECT id, DATE_FORMAT(date, '%M %D %Y') as dt, firstname, CONCAT(SUBSTR(lastname, 1, 1),'.') AS formatted_lastname, testimonial FROM testimonials ORDER BY date DESC LIMIT 10");

   while ($row = mysql_fetch_assoc($res)) {
      echo "<p align=\"right\"><i>{$row['firstname']} {$row['formatted_lastname']}<br />{$row['dt']}</i></p><br />{$row['testimonial']}<br /><br /><hr width=\"80%\" color=\"#000000\"><br />";
   }
?>
 
<br /><br /><br /><br /><br /><br />
 
<font size="5">Let us know how we're doing</font><hr width="80%" />
<form method="POST" action="testimonials.php">

<table cellspacing="0" cellpadding="0" border="0" align="center" width="75%">
  <tr>
    <td align="center">First Name<br />
    <input name="firstname" maxlength="20" value="<?PHP echo $firstname; ?>" />
    </td>
    <td align="center">Last Name<br />
    <input name="lastname" maxlength="20" value="<?PHP echo $lastname; ?>" />
    </td>
  </tr>
  <tr>
    <td align="center" colspan="2"><br /></td>
  </tr>
  <tr>
    <td align="center" colspan="2"><textarea name="testimonial" rows="5" cols="40%"><?PHP echo $testimonial; ?></textarea>
    </td>
  </tr>
</table>

<p align="center"><input type="submit" name="submit" value="Submit My Testimonial" /></p>
</form>

Same reason for the order here =]

Link to comment
https://forums.phpfreaks.com/topic/188199-is-my-code-secure/
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.