Member Avatar for Borderline

I wonder if someone can point me in the right direction for securing my site more effectively.

Having experienced problems with Google warning pages being placed on my site relating to potential malware, I've been looking into "beefing up" security, but am find the tutorials relating to safeguarding against sql injections confusing.

The following is a sample of code on my site - is anyone willing to explain how I can improve the security for it?

<div id="content">
		<?php
	      $user="*****";
	      $host="*****";
	      $password="*****";
	      $database="*****";
	
	mysql_connect($host, $user, $password);
	mysql_select_db($database);
	?>


<?php
if (!isset($_POST['submit'])) {
?>
<form action="" method="post">

	<table border="0" cellpadding="2" width="95%">


	<tr>
        <td>Date:</td>
        <td><input type="text" size="10" name="date"></td>
        <td><b>YYYY-MM-DD format</td></b>
	</tr>


	<tr>
        <td>Ref:</td>
        <td><input type="text" size="2" name="ref"></td>
        <td><b>&nbsp;</td></b>
	</tr>


	<tr>
        <td>Card No:</td>
        <td><input type="text" size="2" name="cardno"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Form:</td>
        <td><input type="text" size="7" name="form"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Horse:</td>
        <td><input type="text" size="25" name="horse"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Weight:</td>
        <td><input type="text" size="6" name="weight"></td>
        <td>&nbsp;</td>
	</tr>


	<tr>
        <td>Jockey:</td>
        <td><input type="text" size="25" name="jockey"></td>
        <td>&nbsp;</td>
	</tr>

	<tr>
        <td>Trainer:</td>
        <td><input type="text" size="25" name="trainer"></td>
        <td>Stable name</td>
	</tr>


	<tr>
        <td>Preview:</td>
        <td><textarea name="comment" rows="7" cols="35"></textarea></td>
        <td>&nbsp;</td>
	</tr>

</table>

<input type="submit" name="submit" value="Submit!">
</form>


<?php
} else {
	$date		= 	$_POST['date'];
	$ref		= 	$_POST['ref'];
	$cardno		= 	$_POST['cardno'];
	$form		= 	$_POST['form'];
	$horse		= 	$_POST['horse'];
	$weight		= 	$_POST['weight'];
	$jockey		= 	$_POST['jockey'];
	$trainer	= 	$_POST['trainer'];
	$comment	= 	$_POST['comment'];

mysql_query("INSERT INTO `*****` (date, ref, cardno, form, horse, weight, jockey, trainer, comment)
VALUES ('$date', '$ref', '$cardno', '$form', '$horse', '$weight', '$jockey', '$trainer', '$comment')");

echo 

"Success! This overview has been added to the database!";
}
?>

Any advice would be greatly appreciated.

  • 2 Contributors
  • 3 Replies
  • 111 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by Borderline

Recommended Answers

All 3 Replies

Member Avatar for buddylee17

You could start off with basic data validation. Pumping all of the fields into the db without checking even one of them? That's just asking for injection.

Member Avatar for Borderline

Perhaps you could suggest a suitable tutorial for a newcomer to the language?

Member Avatar for Borderline

Marked as solved: was assisted via other forums.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.