phprocker Posted November 3, 2010 Share Posted November 3, 2010 Hey all. I've created a script that updates a website's config in a database. The script itself works fine but I feel it is rather uncanny. Where can I look to find better methods of achieving what I'm trying to accomplish? Here's my script that updates my table with columns id, showlogin, colorscheme, blogmenu, aboutus. I explain the script below it. if (isset($_POST['submit'])) { // id will always be 1 and only query if only submit was pressed $sql = "UPDATE config SET id=1"; // showlogin values are 1 for show login form and 2 for don't if(!empty($_POST['showlogin'])) { $showlogin = $_POST['showlogin']; $sql .= ", showlogin='$showlogin'"; } if(!empty($_POST['colorscheme'])) { $colorscheme = $_POST['colorscheme']; $sql .= ", colorscheme='$colorscheme'"; } if(!empty($_POST['blogmenu'])) { $blogmenu = $_POST['blogmenu']; $sql .= ", blogmenu='$blogmenu'"; } else { $sql .= ", blogmenu=2"; } if(!empty($_POST['aboutus'])) { $aboutus = $_POST['aboutus']; $sql .= ", aboutus='$aboutus'"; } else { $sql .= ", aboutus=2"; } mysql_query($sql, $connect) or die (mysql_error()); } It works like this. I have a form with a few selects and checkboxes. The selects are the colorscheme and showlogin. The checkboxes are blogmenu and about us, both defaulting to the number 2 if they are not checked. 1 means show this item on the live site and 2 means do not show. This is pulled out of the database on page loads. So, I hope I was clear as my mind is spaghetti right now. Cheers! Quote Link to comment Share on other sites More sharing options...
anups Posted November 3, 2010 Share Posted November 3, 2010 few things are missing in your code 1. Validation - never believe user input always validate it like integer, alphanumeric, emailids. 2. Never insert row user data in database - if you are expecting only simple string strip all the html tags or define the tags yo are allowing. always use mysql_real_escape string so that there will be sql injection attacks. 3. avoid xss attacks. 4. data length is not validated - you can only define max length for each input filed eg. for name max varchar 255... before executing the query check the length input by user. 5. rather than just checking if(!empty($_POST['field_name'])) use if(isset($_POST['field_name'] && !empty(trim($_POST['field_name']))){ // do something } Quote Link to comment Share on other sites More sharing options...
phprocker Posted November 4, 2010 Author Share Posted November 4, 2010 I'm looking for a simpler way to handle the config updates rather than a bunch of if statements. Anyone point me in the right direction? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.