I had a web site ( Real Estate) and visitor can add data. But I only need to add in site only after my approval. So I make a column in database that "approved". When an user submit data then Enter the value "no" in "approved" column. When I approve the post then that will replace to "yes".

And finally The search script in my like as follows

SELECT * from table name where approved='yes';

Please let me know how much this is secure . Or there is any other secure way to do that .
Please help me
Thanks
Rajeesh

The security should not be judged on your query alone.
There are many ways a person can manipulate a query using form fields and even the address bar.

If you post up your code i'l have a look.

Hope this helps

My code

$name=$_POST['name'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$comments=$_POST['comments'];
$adv=$_POST['adv'];

mysql_connect("localhost", "username","password") or die(mysql_error());
//echo "Connected to MySQL<br />";
mysql_select_db("dbname") or die(mysql_error());


$for_id = time() . rand(0,9);
$for_id1=md5($for_id);
$id=substr($for_id1,0,10);

mysql_query("INSERT INTO advertise (name,phone,email,comments,id,adv,approved) VALUES (
'$name','$phone','$email','$comments','$id','$adv','no')
") or die(mysql_error());
$notok = 'advertise_thanks.php';
header('Location: ' . $notok);

Please help
Thanks

The security should not be judged on your query alone.
There are many ways a person can manipulate a query using form fields and even the address bar.

If you post up your code i'l have a look.

Hope this helps

Your code is absolutely not safe! Why? Because you didn't check the user input to make sure it is clean. You are setting yourself up for an SQL injection.

To help fix this at the very minimum you want to do the following before continuing with your code:

Take this part of your code and move it below the opening of the database connection:

$name=$_POST['name'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$comments=$_POST['comments'];
$adv=$_POST['adv'];

Then make this following change to the code as well

$name=mysql_real_escape_string($_POST['name']);
$phone=mysql_real_escape_string($_POST['phone']);
$email=mysql_real_escape_string($_POST['email']);
$comments=mysql_real_escape_string($_POST['comments']);
$adv=mysql_real_escape_string($_POST['adv']);

So basically your code should look like this now:

mysql_connect("localhost", "username","password") or die(mysql_error());
//echo "Connected to MySQL<br />";
mysql_select_db("dbname") or die(mysql_error());

$name=mysql_real_escape_string($_POST['name']);
$phone=mysql_real_escape_string($_POST['phone']);
$email=mysql_real_escape_string($_POST['email']);
$comments=mysql_real_escape_string($_POST['comments']);
$adv=mysql_real_escape_string($_POST['adv']);


$for_id = time() . rand(0,9);
$for_id1=md5($for_id);
$id=substr($for_id1,0,10);

mysql_query("INSERT INTO advertise (name,phone,email,comments,id,adv,approved) VALUES (
'$name','$phone','$email','$comments','$id','$adv','no')
") or die(mysql_error());
$notok = 'advertise_thanks.php';
header('Location: ' . $notok);

This way it automatically places the escape character before anything that might be used in a SQL query.

Ok thank you for your reply.
I already disable escape character using the javascript in the form page. Is it enough ??

Please
Reply

Your code is absolutely not safe! Why? Because you didn't check the user input to make sure it is clean. You are setting yourself up for an SQL injection.

To help fix this at the very minimum you want to do the following before continuing with your code:

Take this part of your code and move it below the opening of the database connection:

$name=$_POST['name'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$comments=$_POST['comments'];
$adv=$_POST['adv'];

Then make this following change to the code as well

$name=mysql_real_escape_string($_POST['name']);
$phone=mysql_real_escape_string($_POST['phone']);
$email=mysql_real_escape_string($_POST['email']);
$comments=mysql_real_escape_string($_POST['comments']);
$adv=mysql_real_escape_string($_POST['adv']);

So basically your code should look like this now:

mysql_connect("localhost", "username","password") or die(mysql_error());
//echo "Connected to MySQL<br />";
mysql_select_db("dbname") or die(mysql_error());

$name=mysql_real_escape_string($_POST['name']);
$phone=mysql_real_escape_string($_POST['phone']);
$email=mysql_real_escape_string($_POST['email']);
$comments=mysql_real_escape_string($_POST['comments']);
$adv=mysql_real_escape_string($_POST['adv']);


$for_id = time() . rand(0,9);
$for_id1=md5($for_id);
$id=substr($for_id1,0,10);

mysql_query("INSERT INTO advertise (name,phone,email,comments,id,adv,approved) VALUES (
'$name','$phone','$email','$comments','$id','$adv','no')
") or die(mysql_error());
$notok = 'advertise_thanks.php';
header('Location: ' . $notok);

This way it automatically places the escape character before anything that might be used in a SQL query.

NO. That is not enough. Javascript can be disabled.

Also, instead of all of that redundant code, why not use:

array_map('mysql_real_escape_string',&$_POST);

Thanks
If you dont mind will you give me some details of
array_map('mysql_real_escape_string',&$_POST);

Please

NO. That is not enough. Javascript can be disabled.

Also, instead of all of that redundant code, why not use:

array_map('mysql_real_escape_string',&$_POST);

They are both right. The code is very unsafe.
It would take about a second to hack through either mySQL injections or CSRF.
Daniweb gives help however i recomend you google search the two terms and learn about them.

Hope this helps

This article has been dead for over six months. Start a new discussion instead.