943,865 Members | Top Members by Rank

Web Development > Databases > MySQL > Protecting against sql injections
Ad:
  • MySQL Discussion Thread
  • Marked Solved
  • Views: 644
  • MySQL RSS
Permalink
Jan 10th, 2009
0

Protecting against sql injections

Expand Post »
I wonder if someone can point me in the right direction for securing my site more effectively.

Having experienced problems with Google warning pages being placed on my site relating to potential malware, I've been looking into "beefing up" security, but am find the tutorials relating to safeguarding against sql injections confusing.

The following is a sample of code on my site - is anyone willing to explain how I can improve the security for it?

MySQL Syntax (Toggle Plain Text)
  1. 	<div id="content">
  2. 		<?php
  3. 	      $user="*****";
  4. 	      $host="*****";
  5. 	      $password="*****";
  6. 	      $database="*****";
  7.  
  8. 	mysql_connect($host, $user, $password);
  9. 	mysql_select_db($database);
  10. 	?>
  11.  
  12.  
  13. <?php
  14. if (!isset($_POST['submit'])) {
  15. ?>
  16. <form action="" method="post">
  17.  
  18. 	<table border="0" cellpadding="2" width="95%">
  19.  
  20.  
  21. 	<tr>
  22.         <td>Date:</td>
  23.         <td><input type="text" size="10" name="date"></td>
  24.         <td><b>YYYY-MM-DD format</td></b>
  25. 	</tr>
  26.  
  27.  
  28. 	<tr>
  29.         <td>Ref:</td>
  30.         <td><input type="text" size="2" name="ref"></td>
  31.         <td><b>&nbsp;</td></b>
  32. 	</tr>
  33.  
  34.  
  35. 	<tr>
  36.         <td>Card No:</td>
  37.         <td><input type="text" size="2" name="cardno"></td>
  38.         <td>&nbsp;</td>
  39. 	</tr>
  40.  
  41.  
  42. 	<tr>
  43.         <td>Form:</td>
  44.         <td><input type="text" size="7" name="form"></td>
  45.         <td>&nbsp;</td>
  46. 	</tr>
  47.  
  48.  
  49. 	<tr>
  50.         <td>Horse:</td>
  51.         <td><input type="text" size="25" name="horse"></td>
  52.         <td>&nbsp;</td>
  53. 	</tr>
  54.  
  55.  
  56. 	<tr>
  57.         <td>Weight:</td>
  58.         <td><input type="text" size="6" name="weight"></td>
  59.         <td>&nbsp;</td>
  60. 	</tr>
  61.  
  62.  
  63. 	<tr>
  64.         <td>Jockey:</td>
  65.         <td><input type="text" size="25" name="jockey"></td>
  66.         <td>&nbsp;</td>
  67. 	</tr>
  68.  
  69. 	<tr>
  70.         <td>Trainer:</td>
  71.         <td><input type="text" size="25" name="trainer"></td>
  72.         <td>Stable name</td>
  73. 	</tr>
  74.  
  75.  
  76. 	<tr>
  77.         <td>Preview:</td>
  78.         <td><textarea name="comment" rows="7" cols="35"></textarea></td>
  79.         <td>&nbsp;</td>
  80. 	</tr>
  81.  
  82. </table>
  83.  
  84. <input type="submit" name="submit" value="Submit!">
  85. </form>
  86.  
  87.  
  88. <?php
  89. } ELSE {
  90. 	$date		= 	$_POST['date'];
  91. 	$ref		= 	$_POST['ref'];
  92. 	$cardno		= 	$_POST['cardno'];
  93. 	$form		= 	$_POST['form'];
  94. 	$horse		= 	$_POST['horse'];
  95. 	$weight		= 	$_POST['weight'];
  96. 	$jockey		= 	$_POST['jockey'];
  97. 	$trainer	= 	$_POST['trainer'];
  98. 	$comment	= 	$_POST['comment'];
  99.  
  100. mysql_query("INSERT INTO `*****` (date, ref, cardno, form, horse, weight, jockey, trainer, comment)
  101. VALUES ('$date', '$ref', '$cardno', '$form', '$horse', '$weight', '$jockey', '$trainer', '$comment')");
  102.  
  103. echo 
  104.  
  105. "Success! This overview has been added to the database!";
  106. }
  107. ?>

Any advice would be greatly appreciated.
Reputation Points: 11
Solved Threads: 1
Light Poster
Borderline is offline Offline
49 posts
since Apr 2008
Permalink
Jan 10th, 2009
0

Re: Protecting against sql injections

You could start off with basic data validation. Pumping all of the fields into the db without checking even one of them? That's just asking for injection.
Reputation Points: 232
Solved Threads: 137
Practically a Master Poster
buddylee17 is offline Offline
665 posts
since Nov 2007
Permalink
Jan 11th, 2009
0

Re: Protecting against sql injections

Perhaps you could suggest a suitable tutorial for a newcomer to the language?
Reputation Points: 11
Solved Threads: 1
Light Poster
Borderline is offline Offline
49 posts
since Apr 2008
Permalink
Jan 11th, 2009
0

Re: Protecting against sql injections

Marked as solved: was assisted via other forums.
Reputation Points: 11
Solved Threads: 1
Light Poster
Borderline is offline Offline
49 posts
since Apr 2008

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in MySQL Forum Timeline: Updating 12k records twice a day
Next Thread in MySQL Forum Timeline: what is wrong with this code?





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC