0

I wonder if someone can point me in the right direction for securing my site more effectively.

Having experienced problems with Google warning pages being placed on my site relating to potential malware, I've been looking into "beefing up" security, but am find the tutorials relating to safeguarding against sql injections confusing.

The following is a sample of code on my site - is anyone willing to explain how I can improve the security for it?

<div id="content">
		<?php
	      $user="*****";
	      $host="*****";
	      $password="*****";
	      $database="*****";
	
	mysql_connect($host, $user, $password);
	mysql_select_db($database);
	?>


<?php
if (!isset($_POST['submit'])) {
?>
<form action="" method="post">

	<table border="0" cellpadding="2" width="95%">


	<tr>
        <td>Date:</td>
        <td><input type="text" size="10" name="date"></td>
        <td><b>YYYY-MM-DD format</td></b>
	</tr>


	<tr>
        <td>Ref:</td>
        <td><input type="text" size="2" name="ref"></td>
        <td><b>&nbsp;</td></b>
	</tr>


	<tr>
        <td>Card No:</td>
        <td><input type="text" size="2" name="cardno"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Form:</td>
        <td><input type="text" size="7" name="form"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Horse:</td>
        <td><input type="text" size="25" name="horse"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Weight:</td>
        <td><input type="text" size="6" name="weight"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Jockey:</td>
        <td><input type="text" size="25" name="jockey"></td>
        <td>&nbsp;</td>
	</tr>

	<tr>
        <td>Trainer:</td>
        <td><input type="text" size="25" name="trainer"></td>
        <td>Stable name</td>
	</tr>


	<tr>
        <td>Preview:</td>
        <td><textarea name="comment" rows="7" cols="35"></textarea></td>
        <td>&nbsp;</td>
	</tr>

</table>

<input type="submit" name="submit" value="Submit!">
</form>


<?php
} else {
	$date		= 	$_POST['date'];
	$ref		= 	$_POST['ref'];
	$cardno		= 	$_POST['cardno'];
	$form		= 	$_POST['form'];
	$horse		= 	$_POST['horse'];
	$weight		= 	$_POST['weight'];
	$jockey		= 	$_POST['jockey'];
	$trainer	= 	$_POST['trainer'];
	$comment	= 	$_POST['comment'];

mysql_query("INSERT INTO `*****` (date, ref, cardno, form, horse, weight, jockey, trainer, comment)
VALUES ('$date', '$ref', '$cardno', '$form', '$horse', '$weight', '$jockey', '$trainer', '$comment')");

echo 

"Success! This overview has been added to the database!";
}
?>

Any advice would be greatly appreciated.

2
Contributors
3
Replies
4
Views
8 Years
Discussion Span
Last Post by Borderline
0

You could start off with basic data validation. Pumping all of the fields into the db without checking even one of them? That's just asking for injection.

0

Perhaps you could suggest a suitable tutorial for a newcomer to the language?

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.