Jump to content


Photo

Newbie Script Security


  • Please log in to reply
2 replies to this topic

#1 immersion

immersion
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 14 March 2006 - 06:26 PM

Hello,
Forgive me if I am not posting this in the right way. I will try and format the code correctly and ask the right questions.

I have created a script that upon html form completion does 2 things. 1, I am using a phpformmail script to send the form results to an email address. 2. I am using code off a tutorial to insert records into a MYSQL database. From a securtity point of view is this a dumb way to go about achieving the 2 desired functions? Should I seperated the formmail and insert record script? What is the best way to accomplish this? Any feedback would be apprecitaed.

I will post the script below.
<?php
$username="user";
$password="pass";
$database="contact";

$first=$_POST['first'];
$last=$_POST['last'];
$phone=$_POST['phone'];
$mobile=$_POST['mobile'];
$fax=$_POST['fax'];
$email=$_POST['email'];

mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO contacts VALUES ('','$first','$last','$phone','$mobile','$fax','$email')";
mysql_query($query);

mysql_close();
?>

Thanks,
Dave

#2 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 14 March 2006 - 06:50 PM

could add this
function valid_email($address)
{
  // check an email address is possibly valid
  if (ereg('^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$', $address))
    return true;
  else 
    return false;
}



and this
example
$name = stripslashes($name);

on all

$first=$_POST['first'];
$last=$_POST['last'];
$phone=$_POST['phone'];
$mobile=$_POST['mobile'];
$fax=$_POST['fax'];
$email=$_POST['email'];




Get the users ip insert into database then check to see if that ip is in the database if so dont allow sign up.

$ip = $_SERVER['REMOTE_ADDR'];



you could also add an image with a random number so that the user has got to enter that number before enter information to database. this works only on gd2 enabled.



good luck.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#3 immersion

immersion
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 14 March 2006 - 10:35 PM

redarrow,
Thanks for the code hints. Beyond what you are suggesting is it safe to have the insert record script and the formail script in the same page?

Thanks again,
Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users