Protecting against sql injections
Please support our MySQL advertiser: Programming Forums
Thread Solved
 |
I wonder if someone can point me in the right direction for securing my site more effectively.
Having experienced problems with Google warning pages being placed on my site relating to potential malware, I've been looking into "beefing up" security, but am find the tutorials relating to safeguarding against sql injections confusing.
The following is a sample of code on my site - is anyone willing to explain how I can improve the security for it?
Any advice would be greatly appreciated.
Having experienced problems with Google warning pages being placed on my site relating to potential malware, I've been looking into "beefing up" security, but am find the tutorials relating to safeguarding against sql injections confusing.
The following is a sample of code on my site - is anyone willing to explain how I can improve the security for it?
<div id="content">
<?php
$user="*****";
$host="*****";
$password="*****";
$database="*****";
mysql_connect($host, $user, $password);
mysql_select_db($database);
?>
<?php
if (!isset($_POST['submit'])) {
?>
<form action="" method="post">
<table border="0" cellpadding="2" width="95%">
<tr>
<td>Date:</td>
<td><input type="text" size="10" name="date"></td>
<td><b>YYYY-MM-DD format</td></b>
</tr>
<tr>
<td>Ref:</td>
<td><input type="text" size="2" name="ref"></td>
<td><b> </td></b>
</tr>
<tr>
<td>Card No:</td>
<td><input type="text" size="2" name="cardno"></td>
<td> </td>
</tr>
<tr>
<td>Form:</td>
<td><input type="text" size="7" name="form"></td>
<td> </td>
</tr>
<tr>
<td>Horse:</td>
<td><input type="text" size="25" name="horse"></td>
<td> </td>
</tr>
<tr>
<td>Weight:</td>
<td><input type="text" size="6" name="weight"></td>
<td> </td>
</tr>
<tr>
<td>Jockey:</td>
<td><input type="text" size="25" name="jockey"></td>
<td> </td>
</tr>
<tr>
<td>Trainer:</td>
<td><input type="text" size="25" name="trainer"></td>
<td>Stable name</td>
</tr>
<tr>
<td>Preview:</td>
<td><textarea name="comment" rows="7" cols="35"></textarea></td>
<td> </td>
</tr>
</table>
<input type="submit" name="submit" value="Submit!">
</form>
<?php
} else {
$date = $_POST['date'];
$ref = $_POST['ref'];
$cardno = $_POST['cardno'];
$form = $_POST['form'];
$horse = $_POST['horse'];
$weight = $_POST['weight'];
$jockey = $_POST['jockey'];
$trainer = $_POST['trainer'];
$comment = $_POST['comment'];
mysql_query("INSERT INTO `*****` (date, ref, cardno, form, horse, weight, jockey, trainer, comment)
VALUES ('$date', '$ref', '$cardno', '$form', '$horse', '$weight', '$jockey', '$trainer', '$comment')");
echo
"Success! This overview has been added to the database!";
}
?>Any advice would be greatly appreciated.
You could start off with basic data validation. Pumping all of the fields into the db without checking even one of them? That's just asking for injection.
Lost time is never found again.
- Benjamin Franklin
- Benjamin Franklin
|
Other Threads in the MySQL Forum
- Previous Thread: Updating 12k records twice a day
- Next Thread: what is wrong with this code?
•
•
•
•
Views: 454 | Replies: 3 | Currently Viewing: 1 (0 members and 1 guests)
Linear Mode
