Jump to content

Need Help With My Uncanny Site Config Update Script

phprocker

By phprocker
in PHP Coding Help

 Share

Recommended Posts

phprocker Member

phprocker

Posted
Posted

Hey all.  I've created a script that updates a website's config in a database. The script itself works fine but I feel it is rather uncanny. Where can I look to find better methods of achieving what I'm trying to accomplish?

 

Here's my script that updates my table with columns id, showlogin, colorscheme, blogmenu, aboutus.

I explain the script below it.

 

if (isset($_POST['submit']))
{
        // id will always be 1 and only query if only submit was pressed
$sql = "UPDATE config SET id=1";

        // showlogin values are 1 for show login form and 2 for don't
if(!empty($_POST['showlogin']))
{
	$showlogin = $_POST['showlogin'];
	$sql .= ", showlogin='$showlogin'";
}
if(!empty($_POST['colorscheme']))
{
	$colorscheme = $_POST['colorscheme'];
	$sql .= ", colorscheme='$colorscheme'";
}
if(!empty($_POST['blogmenu']))
{
	$blogmenu = $_POST['blogmenu'];
	$sql .= ", blogmenu='$blogmenu'";
}
else
{
	$sql .= ", blogmenu=2";
}
if(!empty($_POST['aboutus']))
{
	$aboutus = $_POST['aboutus'];
	$sql .= ", aboutus='$aboutus'";
}
else
{
	$sql .= ", aboutus=2";
}

mysql_query($sql, $connect) or die (mysql_error());
}

 

It works like this.  I have a form with a few selects and checkboxes. The selects are the colorscheme and showlogin. The checkboxes are blogmenu and about us, both defaulting to the number 2 if they are not checked. 1 means show this item on the live site and 2 means do not show.  This is pulled out of the database on page loads.

 

So, I hope I was clear as my mind is spaghetti right now.

 

Cheers!

Link to comment
Share on other sites
anups Member

anups

Posted
Posted

few things are missing in your code

1. Validation  - never believe user input always validate it like integer, alphanumeric, emailids.

2. Never insert row user data in database - if you are expecting only simple string strip all the html tags or define the tags yo are allowing. always use mysql_real_escape string so that there will be sql injection attacks.

3. avoid xss attacks.

4. data length is not validated - you can only define max length for each input filed

  eg. for name max varchar 255... before executing the query check the length input by user.

 

5. rather than just checking if(!empty($_POST['field_name']))

 

use if(isset($_POST['field_name']  &&  !empty(trim($_POST['field_name']))){

        // do something

    }

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.