Jump to content

Archived

This topic is now archived and is closed to further replies.

immersion

Newbie Script Security

Recommended Posts

Hello,
Forgive me if I am not posting this in the right way. I will try and format the code correctly and ask the right questions.

I have created a script that upon html form completion does 2 things. 1, I am using a phpformmail script to send the form results to an email address. 2. I am using code off a tutorial to insert records into a MYSQL database. From a securtity point of view is this a dumb way to go about achieving the 2 desired functions? Should I seperated the formmail and insert record script? What is the best way to accomplish this? Any feedback would be apprecitaed.

I will post the script below.
[code]<?php
$username="user";
$password="pass";
$database="contact";

$first=$_POST['first'];
$last=$_POST['last'];
$phone=$_POST['phone'];
$mobile=$_POST['mobile'];
$fax=$_POST['fax'];
$email=$_POST['email'];

mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO contacts VALUES ('','$first','$last','$phone','$mobile','$fax','$email')";
mysql_query($query);

mysql_close();
?>[/code]

Thanks,
Dave

Share this post


Link to post
Share on other sites
could add this
[code]
function valid_email($address)
{
  // check an email address is possibly valid
  if (ereg('^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$', $address))
    return true;
  else
    return false;
}
[/code]



and this
[code]
example
$name = stripslashes($name);

on all

$first=$_POST['first'];
$last=$_POST['last'];
$phone=$_POST['phone'];
$mobile=$_POST['mobile'];
$fax=$_POST['fax'];
$email=$_POST['email'];

[/code]



Get the users ip insert into database then check to see if that ip is in the database if so dont allow sign up.
[code]

$ip = $_SERVER['REMOTE_ADDR'];

[/code]


you could also add an image with a random number so that the user has got to enter that number before enter information to database. this works only on gd2 enabled.



good luck.

Share this post


Link to post
Share on other sites
redarrow,
Thanks for the code hints. Beyond what you are suggesting is it safe to have the insert record script and the formail script in the same page?

Thanks again,
Dave

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.