c_pattle Posted October 22, 2010 Share Posted October 22, 2010 I have a form that when submitted inserts the input values into a database. I was wondering what measures I can take to make sure that it is as secure a possible. Below I have added some basic code. Any help on how to modify this code to protect against injection attacks etc would be great. if(isset($_POST['form_submit'])) { $submit_sql = "insert into websites (website_name, website_description,website_url) values (\"" . $_POST['website_name'] . "\",\"" . $_POST['website_description'] . "\",\"" . $_POST['website_url'] . "\")"; $submit_rs = mysql_query($submit_sql, $mysql_conn); } Quote Link to comment Share on other sites More sharing options...
freelance84 Posted October 22, 2010 Share Posted October 22, 2010 http://www.phpfreaks.com/tutorial/php-security I found this was a very very helpful tutorial when learning Quote Link to comment Share on other sites More sharing options...
c_pattle Posted October 22, 2010 Author Share Posted October 22, 2010 Thanks. If I used the mysql_real_escape_string... it replaces any ' with \' However this is bad because if the user enters "it's" into the database it will then show up as "it\'s" or is it necessary to have this? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted October 22, 2010 Share Posted October 22, 2010 It doesn't actually end up in the database with the slash. The slash is recognized as an escape character, and MySQL deals with it appropriately. Quote Link to comment Share on other sites More sharing options...
c_pattle Posted October 22, 2010 Author Share Posted October 22, 2010 Thanks although when I tried it the backslashes did end up in the database. Does this mean I am doing something wrong? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted October 22, 2010 Share Posted October 22, 2010 Is magic_quotes_gpc set to ON in your php.ini file? Quote Link to comment Share on other sites More sharing options...
c_pattle Posted October 22, 2010 Author Share Posted October 22, 2010 yes it's set to "ON" should I change it? Also this is my code. Is this the right way to do it? if(isset($_POST['form_submit'])) { $_SESSION[website_name'] = mysql_real_escape_string($_POST['website_name'], $mysql_conn); $_SESSION['website_description'] = mysql_real_escape_string($_POST['website_description'], $mysql_conn); $_SESSION['website_url'] = mysql_real_escape_string($_POST['website_url'], $mysql_conn); $submit_sql = "insert into websites (website_name, website_description,website_url) values (\"" . $_SESSION['website_name'] . "\",\"" . $_SESSION['website_description'] . "\",\"" . $_SESSION['website_url'] . "\")"; $submit_rs = mysql_query($submit_sql, $mysql_conn); } Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted October 22, 2010 Share Posted October 22, 2010 magic_quotes_gpc should be turned off, yes. As a minimum, you should check for it in your code if you're writing a script that needs to be as portable as possible. That way, you don't end up double-escaping things. Have a look through the examples in the documentation for get_magic_quotes_gpc(). if( get_magic_quotes_gpc() ) { // run your GET/POST/COOKIE vars through stripslashes() } Quote Link to comment Share on other sites More sharing options...
c_pattle Posted October 22, 2010 Author Share Posted October 22, 2010 Cool. Thanks for your help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.