MySQL RSS MySQL RSS

Protecting against sql injections

Thread Solved

Join Date: Apr 2008
Posts: 39
Reputation: Borderline is an unknown quantity at this point 
Solved Threads: 1
Borderline Borderline is offline Offline
Light Poster

Protecting against sql injections

 
0
  #1
Jan 10th, 2009
I wonder if someone can point me in the right direction for securing my site more effectively.

Having experienced problems with Google warning pages being placed on my site relating to potential malware, I've been looking into "beefing up" security, but am find the tutorials relating to safeguarding against sql injections confusing.

The following is a sample of code on my site - is anyone willing to explain how I can improve the security for it?

MySQL Syntax (Toggle Plain Text) 
  1. 	<div id="content">
  2. 		<?php
  3. 	      $user="*****";
  4. 	      $host="*****";
  5. 	      $password="*****";
  6. 	      $database="*****";
  7.  
  8. 	mysql_connect($host, $user, $password);
  9. 	mysql_select_db($database);
  10. 	?>
  11.  
  12.  
  13. <?php
  14. if (!isset($_POST['submit'])) {
  15. ?>
  16. <form action="" method="post">
  17.  
  18. 	<table border="0" cellpadding="2" width="95%">
  19.  
  20.  
  21. 	<tr>
  22.         <td>Date:</td>
  23.         <td><input type="text" size="10" name="date"></td>
  24.         <td><b>YYYY-MM-DD format</td></b>
  25. 	</tr>
  26.  
  27.  
  28. 	<tr>
  29.         <td>Ref:</td>
  30.         <td><input type="text" size="2" name="ref"></td>
  31.         <td><b>&nbsp;</td></b>
  32. 	</tr>
  33.  
  34.  
  35. 	<tr>
  36.         <td>Card No:</td>
  37.         <td><input type="text" size="2" name="cardno"></td>
  38.         <td>&nbsp;</td>
  39. 	</tr>
  40.  
  41.  
  42. 	<tr>
  43.         <td>Form:</td>
  44.         <td><input type="text" size="7" name="form"></td>
  45.         <td>&nbsp;</td>
  46. 	</tr>
  47.  
  48.  
  49. 	<tr>
  50.         <td>Horse:</td>
  51.         <td><input type="text" size="25" name="horse"></td>
  52.         <td>&nbsp;</td>
  53. 	</tr>
  54.  
  55.  
  56. 	<tr>
  57.         <td>Weight:</td>
  58.         <td><input type="text" size="6" name="weight"></td>
  59.         <td>&nbsp;</td>
  60. 	</tr>
  61.  
  62.  
  63. 	<tr>
  64.         <td>Jockey:</td>
  65.         <td><input type="text" size="25" name="jockey"></td>
  66.         <td>&nbsp;</td>
  67. 	</tr>
  68.  
  69. 	<tr>
  70.         <td>Trainer:</td>
  71.         <td><input type="text" size="25" name="trainer"></td>
  72.         <td>Stable name</td>
  73. 	</tr>
  74.  
  75.  
  76. 	<tr>
  77.         <td>Preview:</td>
  78.         <td><textarea name="comment" rows="7" cols="35"></textarea></td>
  79.         <td>&nbsp;</td>
  80. 	</tr>
  81.  
  82. </table>
  83.  
  84. <input type="submit" name="submit" value="Submit!">
  85. </form>
  86.  
  87.  
  88. <?php
  89. } ELSE {
  90. 	$date		= 	$_POST['date'];
  91. 	$ref		= 	$_POST['ref'];
  92. 	$cardno		= 	$_POST['cardno'];
  93. 	$form		= 	$_POST['form'];
  94. 	$horse		= 	$_POST['horse'];
  95. 	$weight		= 	$_POST['weight'];
  96. 	$jockey		= 	$_POST['jockey'];
  97. 	$trainer	= 	$_POST['trainer'];
  98. 	$comment	= 	$_POST['comment'];
  99.  
  100. mysql_query("INSERT INTO `*****` (date, ref, cardno, form, horse, weight, jockey, trainer, comment)
  101. VALUES ('$date', '$ref', '$cardno', '$form', '$horse', '$weight', '$jockey', '$trainer', '$comment')");
  102.  
  103. echo 
  104.  
  105. "Success! This overview has been added to the database!";
  106. }
  107. ?>

Any advice would be greatly appreciated.
Reply With Quote Quick reply to this message  
Join Date: Nov 2007
Posts: 596
Reputation: buddylee17 has a spectacular aura about buddylee17 has a spectacular aura about 
Solved Threads: 125
buddylee17's Avatar
buddylee17 buddylee17 is offline Offline
Posting Pro

Re: Protecting against sql injections

 
0
  #2
Jan 10th, 2009
You could start off with basic data validation. Pumping all of the fields into the db without checking even one of them? That's just asking for injection.
Lost time is never found again.
- Benjamin Franklin
Reply With Quote Quick reply to this message  
Join Date: Apr 2008
Posts: 39
Reputation: Borderline is an unknown quantity at this point 
Solved Threads: 1
Borderline Borderline is offline Offline
Light Poster

Re: Protecting against sql injections

 
0
  #3
Jan 11th, 2009
Perhaps you could suggest a suitable tutorial for a newcomer to the language?
Reply With Quote Quick reply to this message  
Join Date: Apr 2008
Posts: 39
Reputation: Borderline is an unknown quantity at this point 
Solved Threads: 1
Borderline Borderline is offline Offline
Light Poster

Re: Protecting against sql injections

 
0
  #4
Jan 11th, 2009
Marked as solved: was assisted via other forums.
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread has been marked solved.
Perhaps start a new thread instead?
Message:



Other Threads in the MySQL Forum
Thread Tools Search this Thread



agplv3 alfresco amazon api artisticlicense aws bizspark breathalyzer camparingtocolumns changingprices cmg communityjournalism contentmanagement contractors copyright count court crm database design developer development distinct drupal dui ec2 email enterprise eudora facebook form foss gartner government gpl greenit groklaw groupware hiring hyperic images innerjoins insert ip joebrockmeier join journalism keyword keywords kickfire laptop law legal license licensing linux maintenance managing mariadb matchingcolumns metron micromanage microsoft mindtouch montywidenius mozilla multiple music mysql mysqlcolumnupdating mysqldatetimeordermax() mysqlindex mysqlinternalqueries mysqlquery news open-xchange opendatabasealliance opengovernment opensource oracle penelope php priceupdating query referencedesign reorderingcolumns resultset saas select sharepoint simpledb sourcecode spotify sql sugarcrm syntax techsupport thunderbird transparency virtualization
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC