Protecting against sql injections
 

I wonder if someone can point me in the right direction for securing my site more effectively.

Having experienced problems with Google warning pages being placed on my site relating to potential malware, I've been looking into "beefing up" security, but am find the tutorials relating to safeguarding against sql injections confusing.

The following is a sample of code on my site - is anyone willing to explain how I can improve the security for it?

        <div id="content">

                <?php

              $user="*****";

              $host="*****";

              $password="*****";

              $database="*****";

        

        mysql_connect($host, $user, $password);

        mysql_select_db($database);

        ?>





<?php

if (!isset($_POST['submit'])) {

?>

<form action="" method="post">



        <table border="0" cellpadding="2" width="95%">





        <tr>

        <td>Date:</td>

        <td><input type="text" size="10" name="date"></td>

        <td><b>YYYY-MM-DD format</td></b>

        </tr>





        <tr>

        <td>Ref:</td>

        <td><input type="text" size="2" name="ref"></td>

        <td><b>&nbsp;</td></b>

        </tr>





        <tr>

        <td>Card No:</td>

        <td><input type="text" size="2" name="cardno"></td>

        <td>&nbsp;</td>

        </tr>





        <tr>

        <td>Form:</td>

        <td><input type="text" size="7" name="form"></td>

        <td>&nbsp;</td>

        </tr>





        <tr>

        <td>Horse:</td>

        <td><input type="text" size="25" name="horse"></td>

        <td>&nbsp;</td>

        </tr>





        <tr>

        <td>Weight:</td>

        <td><input type="text" size="6" name="weight"></td>

        <td>&nbsp;</td>

        </tr>





        <tr>

        <td>Jockey:</td>

        <td><input type="text" size="25" name="jockey"></td>

        <td>&nbsp;</td>

        </tr>



        <tr>

        <td>Trainer:</td>

        <td><input type="text" size="25" name="trainer"></td>

        <td>Stable name</td>

        </tr>





        <tr>

        <td>Preview:</td>

        <td><textarea name="comment" rows="7" cols="35"></textarea></td>

        <td>&nbsp;</td>

        </tr>



</table>



<input type="submit" name="submit" value="Submit!">

</form>





<?php

} else {

        $date                =         $_POST['date'];

        $ref                =         $_POST['ref'];

        $cardno                =         $_POST['cardno'];

        $form                =         $_POST['form'];

        $horse                =         $_POST['horse'];

        $weight                =         $_POST['weight'];

        $jockey                =         $_POST['jockey'];

        $trainer        =         $_POST['trainer'];

        $comment        =         $_POST['comment'];



mysql_query("INSERT INTO `*****` (date, ref, cardno, form, horse, weight, jockey, trainer, comment)

VALUES ('$date', '$ref', '$cardno', '$form', '$horse', '$weight', '$jockey', '$trainer', '$comment')");



echo 



"Success! This overview has been added to the database!";

}

?>

Any advice would be greatly appreciated.

Re: Protecting against sql injections
 

You could start off with basic data validation. Pumping all of the fields into the db without checking even one of them? That's just asking for injection.

Re: Protecting against sql injections
 

Perhaps you could suggest a suitable tutorial for a newcomer to the language?

Re: Protecting against sql injections
 

Marked as solved: was assisted via other forums.