1,105,581 Community Members

Database forms- How to protect with magic quotes

Member Avatar
SphirosOkelli
Newbie Poster
11 posts since Jul 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I am learning php, and am developing an address book on my website that will put info into a data base I am storing on my vps. However, I am struggling to understand the use of magic quotes as a security measure and wondered if anyone had a good suggestion for a clear consisce tutorial on this?

I have included the forms I am using to submit the info as well that the section I am using to send it to my database. I suspect that making the changes I need is simpler than it appears in the current tutorial I am using... I have my form split into two pages. Please understand, I'm not asking anyone to fix the code so that is has the magic quotes safety on it- I'm asking for information on how to learn to do it myself. If however you would enjoy filling in my missing pieces please feel free to show me!

Thanl you guys!

//This is the form I currently have to submit the information. It gets transfered to another page that then submits it to the database.

<form action="insert.php" method="post">
First Name: <input type="text" name="FirstName">
Last Name: <input type="text" name="LastName">
<br>
Email Address: <input type="text" name="EmailAddress">
<br>
<input type="submit">
</form>

//This is what I am using to submit the date to the database.

$db_handle = mysql_connect($server, $user_name, $password);

$db_found = mysql_select_db($database, $db_handle);

if ($db_found) {

$sql="INSERT INTO contacts
VALUES
('$_POST[FirstName]','$_POST[LastName]','$_POST[EmailAddress]','$_POST[PhoneNumber]')";

if (!mysql_query($sql,$db_handle))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";


mysql_close( $db_handle );

}
else {

print "Database NOT Found " . $db_handle;
mysql_close($db_handle);

}
Member Avatar
veedeoo
Veteran Poster
1,017 posts since Oct 2011
Reputation Points: 314 [?]
Q&As Helped to Solve: 166 [?]
Skill Endorsements: 17 [?]
 
0
 

Hi,

If your VPS have the latest PHP version on it, this is probably not necessary. Learning it to go backwards is not a good idea, because magic_quotes has been deprecated..

Member Avatar
Octet
Posting Pro
579 posts since Nov 2011
Reputation Points: 45 [?]
Q&As Helped to Solve: 53 [?]
Skill Endorsements: 16 [?]
Featured
Sponsor
 
2
 

As veedeoo has said, magic_quotes has been depreciated.

What I suggest you look into is something called MySQLi, where the 'i' stands for Improved. This is the newest version of MySQL and has many additional security benefits, within MySQLi you have something called 'Prepared Statements' whic allows you to add your User Input seperately.

This has benefits over magic_quotes which aren't that efficient and you have many issues with character encoding. Prepared Statements process input seperately and as text so that there is 'virtually no way' for you to have an SQL injection attack.

Member Avatar
SphirosOkelli
Newbie Poster
11 posts since Jul 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Sweet! I am pretty sure the VPS had PHP5 installed, but I'll double check. And I'll look into the prepared statements. Thanks you guys!

Member Avatar
diafol
Where are my eyes?
13,002 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,850 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
1
 

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

So, that could avoid a lot of nonsense for you. As mentioned, use a parameterized query, using PDO or mysqli_*. Avoid mysql_* because:

This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used.

Member Avatar
SphirosOkelli
Newbie Poster
11 posts since Jul 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

So I have done some research on the prepared statements, I have used them to connect successfully to my databse and access information currently saved there. However I am having difficulty putting information into my database view my text form. My assumption is that my POST statements are not working. So far all the tutorials I have found only show you how to hard code information into the database which I dont want to do.

//This is the form I am using- its the same one that I was using before:

<form action="insert.php" method="post">
First Name: <input type="text" name="FirstName">
Last Name: <input type="text" name="LastName">
<br>
Email Address: <input type="text" name="EmailAddress">
<br>
<input type="submit">
</form>

//This is the new insertion section. I have evidence of an actual connection. But the form data does not show up in the database.

try {
    $dbh = new PDO("mysql:host=$hostname;dbname=sphiros_address", $username, $password);
    /*** echo a message saying we have connected ***/
    echo 'Connected to database';

    $sql = "SELECT * FROM contacts";
    foreach ($dbh->query($sql) as $row)
        {
        print $row['First Name'] .' - '. $row['Last Name'] . '<br />';
        }
 /*** INSERT data  this is the part that isnt working for me ***/
    $count = $dbh->exec("INSERT INTO contacts(First Name, Last Name, Email Address) VALUES ('$_POST[FirstName]','$_POST[LastName]','$_POST[EmailAddress]')");

    /*** echo the number of affected rows ***/
    echo $count;


    /*** close the database connection ***/
    $dbh = null;
   }
catch(PDOException $e)
    {
    echo $e->getMessage();
    }
?>
Member Avatar
Zagga
Posting Pro in Training
438 posts since Dec 2009
Reputation Points: 46 [?]
Q&As Helped to Solve: 90 [?]
Skill Endorsements: 6 [?]
 
0
 

Hi,

I'm not familiar with PDO but the syntax you are using to collect the $_POST variables doesn't look right, as you suspected (note the single quotes around the variable name).

Try collecting the POST variables outside of the query.
Change

$count = $dbh->exec("INSERT INTO contacts(First Name, Last Name, Email Address) VALUES ('$_POST[FirstName]','$_POST[LastName]','$_POST[EmailAddress]')");

to

$firstname = $_POST['FirstName'];
$lastname = $_POST['LastName'];
$emailaddress = $_POST['EmailAddress'];
$count = $dbh->exec("INSERT INTO contacts(First Name, Last Name, Email Address) VALUES ('$firstname','$lastname','$emailaddress')");

and see how you get along.

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
Tags Related to this Article