Jump to content

is my code secure?

Genesis730

By Genesis730
in PHP Coding Help

Recommended Posts

Genesis730 Member

Genesis730

Posted
Posted

Before I put this live and online, I just wanna know how secure this is and if someone could possibly hack the database. Any suggestions or mods to my code would be most helpful =]

Here it is...

 

Page 1 (Contact.php)

<?PHP
if($_POST['submit']) {

//COLLECT DATA
$studentName = mysql_real_escape_string($_POST['student_name']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$primary = mysql_real_escape_string($_POST['primary']);
$secondary = mysql_real_escape_string($_POST['secondary']);
$address = mysql_real_escape_string($_POST['address']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zip = mysql_real_escape_string($_POST['zip']);
$emailaddress = mysql_real_escape_string($_POST['emailaddress']);

$questions = mysql_real_escape_string($_POST['questions']);

$diagnostic = isset($_POST['diagnostic'])? 'Yes' : 'No';
$virus = isset($_POST['virus'])? 'Yes' : 'No';
$optimize = isset($_POST['optimize'])? 'Yes' : 'No';
$repair = isset($_POST['repair'])? 'Yes' : 'No';
$setup = isset($_POST['setup'])? 'Yes' : 'No';
$os = isset($_POST['os'])? 'Yes' : 'No';
$backup = isset($_POST['backup'])? 'Yes' : 'No';

//VALIDATION

$error = '';

if (!$firstname)
    $error = $error."<b>First Name</b><br />";
if (!$lastname)
    $error = $error."<b>Last Name</b><br />";
if (!$emailaddress)
    $error = $error."<b>Email Address</b><br />";
if (!$primary)
    $error = $error."<b>Primary Phone Number</b><br />";

if ($error!="")
{
echo "<span id='red'><font size='2'>Please fill out the following required fields:</font><br />$error</span>";
}
  else
  {
//SUBMIT DATA
mysql_query("INSERT INTO contact VALUES(`id`,'". $firstname ."','". $lastname ."','". $primary ."','". $secondary ."','". $address ."','". $city ."','". $state ."','". $zip ."','". $emailaddress ."','". $diagnostic ."','". $virus ."','". $optimize ."','". $repair ."','". $setup ."','". $os ."','". $backup ."','". $questions ."')") or die(mysql_error());
//REDIRECT
header('Location: thankyou.html');
  }
  
}
?>


<br />
<font size="5" face="Georgia, Times New Roman, Times, serif"><div align="center">Service Request Form</div></font>
<hr width="90%" /><br />

<form method="POST" action="contact.php">
<table cellspacing="0" cellpadding="0" border="0" align="center" width="80%">
  <tr>
    <td align="center">First Name<font color="#FF0000"><sup>*</sup></font><br />
    <input name="firstname" maxlength="20" value="<?PHP echo $_POST['firstname']; ?>" />
    </td>
    <td align="center">Last Name<font color="#FF0000"><sup>*</sup></font><br />
    <input name="lastname" maxlength="20" value="<?PHP echo $_POST['lastname']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
  <tr>
    <td align="center">Primary Phone<font color="#FF0000"><sup>*</sup></font><br />
    <input name="primary" maxlength="15" value="<?PHP echo $_POST['primary']; ?>" />
    </td>
    <td align="center">Secondary Phone<br />
    <input name="secondary" maxlength="15" value="<?PHP echo $_POST['secondry']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
  <tr>
    <td align="center">Address<br />
    <input name="address" maxlength="35" value="<?PHP echo $_POST['address']; ?>" />
    </td>
    <td align="center">City<br />
      <input name="city" maxlength="15" value="<?PHP echo $_POST['city']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
  <tr>
     <td align="center">State<br />
       <input name="state" value="Arizona" disabled="disabled" align="middle" />
     </td>
     <td align="center">ZIP<br />
       <input name="zip" maxlength="5" value="<?PHP echo $_POST['zip']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
  <tr>
    <td align="center" colspan="2">E-Mail Address<font color="#FF0000"><sup>*</sup></font><br />
    <input name="emailaddress" size="50%" value="<?PHP echo $_POST['emailaddress']; ?>" />
    </td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>
</table>
<font size="2" color="#FF0000"><sup>*</sup></font> - Required</font><br /><hr width="75%" /><br />
<div align="center"><font face="Georgia, Times New Roman, Times, serif" size="5">Select Service(s)</font></div>
<br /><br />
<table cellspacing="0" cellpadding="0" border="0" width="80%" align="right">
  <tr>
    <td colspan="2" align="left"><img src="http://repairwithcare.netai.net/images/trans.png" width="25%" height="1px" /><input type="checkbox" name="diagnostic" value="diagnostic"<?php if (isset($_POST['diagnostic'])) echo ' checked="checked"'; ?> />   FREE Diagnostic
    </td>
  </tr>
  <tr>
    <td><br /></td><td><br /></td>
  </tr>
  <tr>
    <td align="left" width="50%"><input type="checkbox" name="virus" value="virus"<?php if (isset($_POST['virus'])) echo ' checked="checked"'; ?> />   Spyware Removal</td>
    <td align="left"><input type="checkbox" name="optimize" value="optimize"<?php if (isset($_POST['optimize'])) echo ' checked="checked"'; ?> />   Optimize</td>
  </tr>
  <tr>
    <td><br /></td><td><br /></td>
  </tr>
  <tr>
    <td align="left" width="50%"><input type="checkbox" name="repair" value="repair"<?php if (isset($_POST['repair'])) echo ' checked="checked"'; ?> />   Repair Parts</td>
    <td align="left"><input type="checkbox" name="setup" value="setup"<?php if (isset($_POST['setup'])) echo ' checked="checked"'; ?> />   PC Setup</td>
  </tr>
  <tr>
    <td><br /></td><td><br /></td>
  </tr>
  <tr>
    <td align="left" width="50%"><input type="checkbox" name="os" value="os"<?php if (isset($_POST['os'])) echo ' checked="checked"'; ?> />   Install Windows</td>
    <td align="left"><input type="checkbox" name="backup" value="backup"<?php if (isset($_POST['backup'])) echo ' checked="checked"'; ?> />   Data Backup/Transfer</td>
  </tr>
</table>

<br /><br /><br /><br /><br /><br /><br /><br />

<br /><hr width="75%" /><br />
<font face="Georgia, Times New Roman, Times, serif" size="5">Ask Questions<br /><font size="1">OR</font><br />Describe Computer Issues</font>
<br />
<textarea name="questions" rows="5" cols="40%"><?PHP echo $_POST['questions']; ?></textarea><br /><br />
<p align="center"><input type="submit" name="submit" value="Submit My Request" /></p>
</form>

 

Only thing I'm aware of is the order of the PHP, submit is the first only so the error message will appear in the proper place

 

 

Page 2 (Testimonials.php)

<?PHP
if($_POST['submit']) {

//COLLECT DATA
$date = $_POST['date'];
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$testimonial = mysql_real_escape_string($_POST['testimonial']);

//VALIDATION

$error = '';

if (!$firstname)
    $error = $error."<b>First Name</b><br />";
if (!$lastname)
    $error = $error."<b>Last Name</b><br />";
if (!$testimonial)
    $error = $error."<b>Testimonial</b><br />";

if ($error!="")
echo "<span id='red'><font size='2'>Please fill out the following required fields:</font><br />$error</span>";
  else
  {
//SUBMIT DATA
mysql_query("INSERT INTO testimonials VALUES(`id`,NOW(),'". $firstname ."','". $lastname ."','". $testimonial ."')") or die(mysql_error());

$date = null;
$firstname = null;
$lastname = null;
$testimonial = null;

  }
  
}
?>


<?PHP
   $res = mysql_query("SELECT id, DATE_FORMAT(date, '%M %D %Y') as dt, firstname, CONCAT(SUBSTR(lastname, 1, 1),'.') AS formatted_lastname, testimonial FROM testimonials ORDER BY date DESC LIMIT 10");

   while ($row = mysql_fetch_assoc($res)) {
      echo "<p align=\"right\"><i>{$row['firstname']} {$row['formatted_lastname']}<br />{$row['dt']}</i></p><br />{$row['testimonial']}<br /><br /><hr width=\"80%\" color=\"#000000\"><br />";
   }
?>
 
<br /><br /><br /><br /><br /><br />
 
<font size="5">Let us know how we're doing</font><hr width="80%" />
<form method="POST" action="testimonials.php">

<table cellspacing="0" cellpadding="0" border="0" align="center" width="75%">
  <tr>
    <td align="center">First Name<br />
    <input name="firstname" maxlength="20" value="<?PHP echo $firstname; ?>" />
    </td>
    <td align="center">Last Name<br />
    <input name="lastname" maxlength="20" value="<?PHP echo $lastname; ?>" />
    </td>
  </tr>
  <tr>
    <td align="center" colspan="2"><br /></td>
  </tr>
  <tr>
    <td align="center" colspan="2"><textarea name="testimonial" rows="5" cols="40%"><?PHP echo $testimonial; ?></textarea>
    </td>
  </tr>
</table>

<p align="center"><input type="submit" name="submit" value="Submit My Testimonial" /></p>
</form>

Same reason for the order here =]

Link to comment
https://forums.phpfreaks.com/topic/188199-is-my-code-secure/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.