Hi

I have used the following feedback form in my webpage but need to secure it against SQL injections etc

http://www.dynamicdrive.com/forums/showthread.php?41433-Script-for-testimonials&p=299530#post299530

Can anyone help me with this please

Kind regards

Ian

Well since that topic was made 5 years ago it's a little outdated on php function. I would get rid of this line.

$_POST['comment'] = addslashes($_POST['comment']);
and change the query string to this.


mysql_query("INSERT INTO `testimonials`
(`name`,`email`,`text`,`norp`,`date`) VALUES ('"mysql_real_escape_string($_POST['name'])."', '".mysql_real_escape_string($_POST['email'])."', '".mysql_real_escape_string($_POST['comment'])."', '".mysql_real_escape_string($_POST['norp'])."', '".time()."')")or die("MySQL Error!<br>(".mysql_error().")<br>Could not proceed");
header("Location: ".$_SERVER['PHP_SELF']);

That will do normal SQL injection prevention.

Hi I have made the changes you mentioned fastsol1 and hopefully will be ok, not sure how to test it though against sql injections but sure will be ok

Thank you appreciate it

Kind regards

Ian


Well since that topic was made 5 years ago it's a little outdated on php function. I would get rid of this line.

$_POST['comment'] = addslashes($_POST['comment']);
and change the query string to this.


mysql_query("INSERT INTO `testimonials`
(`name`,`email`,`text`,`norp`,`date`) VALUES ('"mysql_real_escape_string($_POST['name'])."', '".mysql_real_escape_string($_POST['email'])."', '".mysql_real_escape_string($_POST['comment'])."', '".mysql_real_escape_string($_POST['norp'])."', '".time()."')")or die("MySQL Error!<br>(".mysql_error().")<br>Could not proceed");
header("Location: ".$_SERVER['PHP_SELF']);

That will do normal SQL injection prevention.