Member Avatar for JBLDW

This is a (very) basic PHP form for use with a database. - Not sure of all the technical stuff I probably should be adding to this post, and I am not sure that it is safe to use either. - Spent hours (literally) looking at ways of securing the form against SQL injection and have ended up with several variations in the same script for securing it against that kind of attack through the name and comment fields ...only I have been completely unable to actually verify that any of the protection methods work; although the code on the email side of things does seem to be sound.

I am hoping that someone who better understands those parts than me might be able to contribute something and that, between us, we might end up with a script that is clean and safe to use. :icon_cheesygrin:

<?php

include '/var/wetsocks.php';

//connect to the database
$access = mysql_pconnect("$s","$u","$p");

if (!$access) {

	die('Could not connect: ' . mysql_error());

} // End of if statement.

mysql_select_db("$d") or trigger_error('Query failed: ' . mysql_error($db), E_USER_ERROR);

$name    = $_POST['name'];
$comment = $_POST['comment'];
$email   = $_POST['email'];

function emailcheck($field) {

$field=filter_var($field, FILTER_SANITIZE_EMAIL);

	if(filter_var($field, FILTER_VALIDATE_EMAIL)) {

		return TRUE;

	} else {

		return FALSE;

	} // End of if statement.

} // End of function.


$name    = $_POST['name'];
$comment = $_POST['comment'];
$email   = $_POST['email'];


if (isset($_POST['email'])) {

$mailcheck = emailcheck($_POST['email']);

	if (($mailcheck==FALSE) || (empty($_POST['name'])) || (empty($_POST['comment'])) || (empty($_POST['email']))) {

		print 'Not Likely!';

		die();

	} // End of if statement.

} // End of if statement.


if (isset($_POST['name'])) {

	filter_var($_POST['name'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);

	trim($_POST['name']);
	stripslashes($_POST['name']);
	htmlspecialchars($_POST['name']);

	mysql_real_escape_string($_POST['name']);

} // End of if statement.


if (isset($_POST['comment'])) {

	filter_var($_POST['comment'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);

	trim($_POST['comment']);
	stripslashes($_POST['comment']);
	htmlspecialchars($_POST['comment']);

	mysql_real_escape_string($_POST['comment']);

} // End of if statement.


$sql="INSERT INTO custom_feedback (name,comment,email) VALUES ('$_POST[name]','$_POST[comment]','$_POST[email]')";

print 'Record Added!';


if (!mysql_query($sql,$access)) {

  die('Error: ' . mysql_error());

  } // End of if statement.

?>
  • 2 Contributors
  • 2 Replies
  • 111 Views
  • 3 Days Discussion Span
  • Latest Post Latest Post by JBLDW

Recommended Answers

All 2 Replies

Member Avatar for jkon

I will stick to what I think is the root. The safest way to access a database is through prepared statements. PHP has some ways to do that but I believe that the easiest (and most updated in modern standards) is PDO.

Member Avatar for JBLDW

Interesting. - My PHP library module is compiled with PDO, but so far I have not found any situation that really required it; however I have seen tutorials that touch on prepared statements, but they did not seem to do anything beyond that that was already in the script (albeit with a a lot more coding).

I will do some more checking on those two items and see about revising the script. - Thank-you.

Edited by JBLDW because: n/a
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.