0

This is a (very) basic PHP form for use with a database. - Not sure of all the technical stuff I probably should be adding to this post, and I am not sure that it is safe to use either. - Spent hours (literally) looking at ways of securing the form against SQL injection and have ended up with several variations in the same script for securing it against that kind of attack through the name and comment fields ...only I have been completely unable to actually verify that any of the protection methods work; although the code on the email side of things does seem to be sound.

I am hoping that someone who better understands those parts than me might be able to contribute something and that, between us, we might end up with a script that is clean and safe to use. :icon_cheesygrin:

<?php

include '/var/wetsocks.php';

//connect to the database
$access = mysql_pconnect("$s","$u","$p");

if (!$access) {

	die('Could not connect: ' . mysql_error());

} // End of if statement.

mysql_select_db("$d") or trigger_error('Query failed: ' . mysql_error($db), E_USER_ERROR);

$name    = $_POST['name'];
$comment = $_POST['comment'];
$email   = $_POST['email'];

function emailcheck($field) {

$field=filter_var($field, FILTER_SANITIZE_EMAIL);

	if(filter_var($field, FILTER_VALIDATE_EMAIL)) {

		return TRUE;

	} else {

		return FALSE;

	} // End of if statement.

} // End of function.


$name    = $_POST['name'];
$comment = $_POST['comment'];
$email   = $_POST['email'];


if (isset($_POST['email'])) {

$mailcheck = emailcheck($_POST['email']);

	if (($mailcheck==FALSE) || (empty($_POST['name'])) || (empty($_POST['comment'])) || (empty($_POST['email']))) {

		print 'Not Likely!';

		die();

	} // End of if statement.

} // End of if statement.


if (isset($_POST['name'])) {

	filter_var($_POST['name'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);

	trim($_POST['name']);
	stripslashes($_POST['name']);
	htmlspecialchars($_POST['name']);

	mysql_real_escape_string($_POST['name']);

} // End of if statement.


if (isset($_POST['comment'])) {

	filter_var($_POST['comment'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);

	trim($_POST['comment']);
	stripslashes($_POST['comment']);
	htmlspecialchars($_POST['comment']);

	mysql_real_escape_string($_POST['comment']);

} // End of if statement.


$sql="INSERT INTO custom_feedback (name,comment,email) VALUES ('$_POST[name]','$_POST[comment]','$_POST[email]')";

print 'Record Added!';


if (!mysql_query($sql,$access)) {

  die('Error: ' . mysql_error());

  } // End of if statement.

?>
2
Contributors
2
Replies
3
Views
6 Years
Discussion Span
Last Post by JBLDW
0

I will stick to what I think is the root. The safest way to access a database is through prepared statements. PHP has some ways to do that but I believe that the easiest (and most updated in modern standards) is PDO.

0

Interesting. - My PHP library module is compiled with PDO, but so far I have not found any situation that really required it; however I have seen tutorials that touch on prepared statements, but they did not seem to do anything beyond that that was already in the script (albeit with a a lot more coding).

I will do some more checking on those two items and see about revising the script. - Thank-you.

Edited by JBLDW: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.