DaniWeb IT Discussion Community - View Single Post - Protecting against sql injections

Protecting against sql injections

Jan 10th, 2009

I wonder if someone can point me in the right direction for securing my site more effectively.

Having experienced problems with Google warning pages being placed on my site relating to potential malware, I've been looking into "beefing up" security, but am find the tutorials relating to safeguarding against sql injections confusing.

The following is a sample of code on my site - is anyone willing to explain how I can improve the security for it?

 Help with Code Tags 
 MySQL Syntax (Toggle Plain Text) 
	<div id="content">
		<?php
	      $user="*****";
	      $host="*****";
	      $password="*****";
	      $database="*****";
 
	mysql_connect($host, $user, $password);
	mysql_select_db($database);
	?>
 
 
<?php
if (!isset($_POST['submit'])) {
?>
<form action="" method="post">
 
	<table border="0" cellpadding="2" width="95%">
 
 
	<tr>
        <td>Date:</td>
        <td><input type="text" size="10" name="date"></td>
        <td><b>YYYY-MM-DD format</td></b>
	</tr>
 
 
	<tr>
        <td>Ref:</td>
        <td><input type="text" size="2" name="ref"></td>
        <td><b>&nbsp;</td></b>
	</tr>
 
 
	<tr>
        <td>Card No:</td>
        <td><input type="text" size="2" name="cardno"></td>
        <td>&nbsp;</td>
	</tr>
 
 
	<tr>
        <td>Form:</td>
        <td><input type="text" size="7" name="form"></td>
        <td>&nbsp;</td>
	</tr>
 
 
	<tr>
        <td>Horse:</td>
        <td><input type="text" size="25" name="horse"></td>
        <td>&nbsp;</td>
	</tr>
 
 
	<tr>
        <td>Weight:</td>
        <td><input type="text" size="6" name="weight"></td>
        <td>&nbsp;</td>
	</tr>
 
 
	<tr>
        <td>Jockey:</td>
        <td><input type="text" size="25" name="jockey"></td>
        <td>&nbsp;</td>
	</tr>
 
	<tr>
        <td>Trainer:</td>
        <td><input type="text" size="25" name="trainer"></td>
        <td>Stable name</td>
	</tr>
 
 
	<tr>
        <td>Preview:</td>
        <td><textarea name="comment" rows="7" cols="35"></textarea></td>
        <td>&nbsp;</td>
	</tr>
 
</table>
 
<input type="submit" name="submit" value="Submit!">
</form>
 
 
<?php
} ELSE {
	$date		= 	$_POST['date'];
	$ref		= 	$_POST['ref'];
	$cardno		= 	$_POST['cardno'];
	$form		= 	$_POST['form'];
	$horse		= 	$_POST['horse'];
	$weight		= 	$_POST['weight'];
	$jockey		= 	$_POST['jockey'];
	$trainer	= 	$_POST['trainer'];
	$comment	= 	$_POST['comment'];
 
mysql_query("INSERT INTO `*****` (date, ref, cardno, form, horse, weight, jockey, trainer, comment)
VALUES ('$date', '$ref', '$cardno', '$form', '$horse', '$weight', '$jockey', '$trainer', '$comment')");
 
echo 
 
"Success! This overview has been added to the database!";
}
?>
	<div id="content">
		<?php
	      $user="*****";
	      $host="*****";
	      $password="*****";
	      $database="*****";
	
	mysql_connect($host, $user, $password);
	mysql_select_db($database);
	?>


<?php
if (!isset($_POST['submit'])) {
?>
<form action="" method="post">

	<table border="0" cellpadding="2" width="95%">


	<tr>
        <td>Date:</td>
        <td><input type="text" size="10" name="date"></td>
        <td><b>YYYY-MM-DD format</td></b>
	</tr>


	<tr>
        <td>Ref:</td>
        <td><input type="text" size="2" name="ref"></td>
        <td><b>&nbsp;</td></b>
	</tr>


	<tr>
        <td>Card No:</td>
        <td><input type="text" size="2" name="cardno"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Form:</td>
        <td><input type="text" size="7" name="form"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Horse:</td>
        <td><input type="text" size="25" name="horse"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Weight:</td>
        <td><input type="text" size="6" name="weight"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Jockey:</td>
        <td><input type="text" size="25" name="jockey"></td>
        <td>&nbsp;</td>
	</tr>

	<tr>
        <td>Trainer:</td>
        <td><input type="text" size="25" name="trainer"></td>
        <td>Stable name</td>
	</tr>


	<tr>
        <td>Preview:</td>
        <td><textarea name="comment" rows="7" cols="35"></textarea></td>
        <td>&nbsp;</td>
	</tr>

</table>

<input type="submit" name="submit" value="Submit!">
</form>


<?php
} else {
	$date		= 	$_POST['date'];
	$ref		= 	$_POST['ref'];
	$cardno		= 	$_POST['cardno'];
	$form		= 	$_POST['form'];
	$horse		= 	$_POST['horse'];
	$weight		= 	$_POST['weight'];
	$jockey		= 	$_POST['jockey'];
	$trainer	= 	$_POST['trainer'];
	$comment	= 	$_POST['comment'];

mysql_query("INSERT INTO `*****` (date, ref, cardno, form, horse, weight, jockey, trainer, comment)
VALUES ('$date', '$ref', '$cardno', '$form', '$horse', '$weight', '$jockey', '$trainer', '$comment')");

echo 

"Success! This overview has been added to the database!";
}
?>

Any advice would be greatly appreciated.