We're a community of 1077K IT Pros here for help, advice, solutions, professional growth and fun. Join us!
1,076,503 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Start New Discussion Reply to this Discussion
Ad: IT HelpDesk & Customer Support Software
3 Months Ago
0

Database forms- How to protect with magic quotes

I am learning php, and am developing an address book on my website that will put info into a data base I am storing on my vps. However, I am struggling to understand the use of magic quotes as a security measure and wondered if anyone had a good suggestion for a clear consisce tutorial on this?

I have included the forms I am using to submit the info as well that the section I am using to send it to my database. I suspect that making the changes I need is simpler than it appears in the current tutorial I am using... I have my form split into two pages. Please understand, I'm not asking anyone to fix the code so that is has the magic quotes safety on it- I'm asking for information on how to learn to do it myself. If however you would enjoy filling in my missing pieces please feel free to show me!

Thanl you guys!

//This is the form I currently have to submit the information. It gets transfered to another page that then submits it to the database.

<form action="insert.php" method="post">
First Name: <input type="text" name="FirstName">
Last Name: <input type="text" name="LastName">
<br>
Email Address: <input type="text" name="EmailAddress">
<br>
<input type="submit">
</form>

//This is what I am using to submit the date to the database.

$db_handle = mysql_connect($server, $user_name, $password);

$db_found = mysql_select_db($database, $db_handle);

if ($db_found) {

$sql="INSERT INTO contacts
VALUES
('$_POST[FirstName]','$_POST[LastName]','$_POST[EmailAddress]','$_POST[PhoneNumber]')";

if (!mysql_query($sql,$db_handle))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";


mysql_close( $db_handle );

}
else {

print "Database NOT Found " . $db_handle;
mysql_close($db_handle);

}
5
Contributors
6
Replies
1 Week
Discussion Span
3 Months Ago
Last Updated
8
Views
SphirosOkelli
Newbie Poster
11 posts since Jul 2012
Reputation Points: 0
Solved Threads: 0
Skill Endorsements: 0
3 Months Ago
0

Hi,

If your VPS have the latest PHP version on it, this is probably not necessary. Learning it to go backwards is not a good idea, because magic_quotes has been deprecated..

veedeoo
Master Poster
735 posts since Oct 2011
Reputation Points: 298
Solved Threads: 130
Skill Endorsements: 13
3 Months Ago
2

As veedeoo has said, magic_quotes has been depreciated.

What I suggest you look into is something called MySQLi, where the 'i' stands for Improved. This is the newest version of MySQL and has many additional security benefits, within MySQLi you have something called 'Prepared Statements' whic allows you to add your User Input seperately.

This has benefits over magic_quotes which aren't that efficient and you have many issues with character encoding. Prepared Statements process input seperately and as text so that there is 'virtually no way' for you to have an SQL injection attack.

AHarrisGsy
Posting Pro in Training
498 posts since Nov 2011
Reputation Points: 52
Solved Threads: 41
Skill Endorsements: 13
3 Months Ago
0

Sweet! I am pretty sure the VPS had PHP5 installed, but I'll double check. And I'll look into the prepared statements. Thanks you guys!

SphirosOkelli
Newbie Poster
11 posts since Jul 2012
Reputation Points: 0
Solved Threads: 0
Skill Endorsements: 0
3 Months Ago
1

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

So, that could avoid a lot of nonsense for you. As mentioned, use a parameterized query, using PDO or mysqli_*. Avoid mysql_* because:

This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used.

diafol
Keep Smiling
Moderator
10,672 posts since Oct 2006
Reputation Points: 1,632
Solved Threads: 1,514
Skill Endorsements: 57
3 Months Ago
0

So I have done some research on the prepared statements, I have used them to connect successfully to my databse and access information currently saved there. However I am having difficulty putting information into my database view my text form. My assumption is that my POST statements are not working. So far all the tutorials I have found only show you how to hard code information into the database which I dont want to do.

//This is the form I am using- its the same one that I was using before:

<form action="insert.php" method="post">
First Name: <input type="text" name="FirstName">
Last Name: <input type="text" name="LastName">
<br>
Email Address: <input type="text" name="EmailAddress">
<br>
<input type="submit">
</form>

//This is the new insertion section. I have evidence of an actual connection. But the form data does not show up in the database.

try {
    $dbh = new PDO("mysql:host=$hostname;dbname=sphiros_address", $username, $password);
    /*** echo a message saying we have connected ***/
    echo 'Connected to database';

    $sql = "SELECT * FROM contacts";
    foreach ($dbh->query($sql) as $row)
        {
        print $row['First Name'] .' - '. $row['Last Name'] . '<br />';
        }
 /*** INSERT data  this is the part that isnt working for me ***/
    $count = $dbh->exec("INSERT INTO contacts(First Name, Last Name, Email Address) VALUES ('$_POST[FirstName]','$_POST[LastName]','$_POST[EmailAddress]')");

    /*** echo the number of affected rows ***/
    echo $count;


    /*** close the database connection ***/
    $dbh = null;
   }
catch(PDOException $e)
    {
    echo $e->getMessage();
    }
?>
SphirosOkelli
Newbie Poster
11 posts since Jul 2012
Reputation Points: 0
Solved Threads: 0
Skill Endorsements: 0
3 Months Ago
0

Hi,

I'm not familiar with PDO but the syntax you are using to collect the $_POST variables doesn't look right, as you suspected (note the single quotes around the variable name).

Try collecting the POST variables outside of the query.
Change

$count = $dbh->exec("INSERT INTO contacts(First Name, Last Name, Email Address) VALUES ('$_POST[FirstName]','$_POST[LastName]','$_POST[EmailAddress]')");

to

$firstname = $_POST['FirstName'];
$lastname = $_POST['LastName'];
$emailaddress = $_POST['EmailAddress'];
$count = $dbh->exec("INSERT INTO contacts(First Name, Last Name, Email Address) VALUES ('$firstname','$lastname','$emailaddress')");

and see how you get along.

Zagga
Posting Whiz
372 posts since Dec 2009
Reputation Points: 45
Solved Threads: 79
Skill Endorsements: 4

This article has been dead for over three months: Start a new discussion instead

Post: Markdown Syntax: Formatting Help
 
You
Web Development > PHP
 
© 2013 DaniWeb® LLC
Page rendered in 0.0813 seconds using 2.78MB