Security, escape string and moving my connection details to adjacent folder!

[wright67uk]

I think ive finished the piece of code below, after using escape string for the first time.

Ive also put my connection details in a different folder on my hosting account root (worried that this would of been displayed in the event of a parsing eror), is there anything else I can do to make my site secure?

 

<?php 
include('func.php');
include($_SERVER['DOCUMENT_ROOT'].'/include/db.php');
?>
<!--$INC_DIR = $_SERVER["DOCUMENT_ROOT"]. "/include/";-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Chained Select Boxes using PHP, MySQL and jQuery</title>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js"></script>

<script type="text/javascript">
$(document).ready(function() {
$('#wait_1').hide();
$('#drop_1').change(function(){
  $('#wait_1').show();
  $('#result_1').hide();
      $.get("func.php", {
	func: "drop_1",
	drop_var: $('#drop_1').val()
      }, function(response){
        $('#result_1').fadeOut();
        setTimeout("finishAjax('result_1', '"+escape(response)+"')", 400);
      });
    	return false;
});
});

function finishAjax(id, response) {
  $('#wait_1').hide();
  $('#'+id).html(unescape(response));
  $('#'+id).fadeIn();
}
</script>
</head>
<body>
<p>
<form action="" method="post">
Name: 		<input type="text" name="Name" /><br />
Phone:	                <input type="text" name="Phone" /><br />
Email: 		<input type="text" name="Email" /><br />
Postcode: 	<input type="text" name="Postcode" /><br />
Web Address: <input type="text" name="Website" /><br /><br />
<select name="drop_1" id="drop_1"> 
<option value="" selected="selected" disabled="disabled">Select a Category</option>  
<?php getTierOne(); ?>
</select> 
<span id="wait_1" style="display: none;">
<img alt="Please Wait" src="ajax-loader.gif"/>
</span>
<span id="result_1" style="display: none;"></span> <br />

</form>
</p>
<p>
<?php if(isset($_POST['submit'])){
$drop = mysql_real_escape_string($_POST['drop_1']);
$tier_two = mysql_real_escape_string($_POST['Subtype']);
echo "You selected ";
echo $drop." & ".$tier_two;
}
$Name = mysql_real_escape_string($_POST["Name"]);
$Phone = mysql_real_escape_string($_POST["Phone"]);
$Email = mysql_real_escape_string($_POST["Email"]);
$Postcode = mysql_real_escape_string($_POST["Postcode"]);
$Website = mysql_real_escape_string($_POST["Website"]);
echo "<br>";
echo $Name;
echo "<br>";
echo $Website; 
$query = ("INSERT INTO business (`id`, `Name`,  `Type`, `Subtype`, `Phone`, `Email`, `Postcode`, `Web Address`)
		  VALUES ('NULL', '$Name', '$drop', '$tier_two' , '$Phone', '$Email', '$Postcode', '$Website')");
mysql_query($query) or die ( "<br>Query: $query<br>Error: " .mysql_error());
?>
</body>
</html>

[wright67uk]

I was also thinking about the best way to stop blank submits in my form, any good websites you can recommend to learn how to do this step by step would be great! Thankyou.

[lastkarrde]

You can check if fields are empty easily:

 

//after  the mysql_real_escape_string lines

if($Name == '' || $Phone == '' || $Email == '' || $Postcode == '' || $Website == '')
{
//left a field blank
}

[harristweed]

or use javascript:

http://docs.jquery.com/Plugins/validation

[lastkarrde]

or use javascript:

http://docs.jquery.com/Plugins/validation

 

That doesn't guarantee the forms aren't empty. For example if the user had javascript disabled or the form was submitted by a bot, client validation does not work.