Results 1 to 3 of 3

Thread: secure a PHP feedback form

  1. #1
    Join Date
    May 2012
    Posts
    217
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default secure a PHP feedback form

    Hi

    I have used the following feedback form in my webpage but need to secure it against SQL injections etc

    http://www.dynamicdrive.com/forums/s...530#post299530

    Can anyone help me with this please

    Kind regards

    Ian

  2. #2
    Join Date
    Jul 2010
    Location
    Minnesota
    Posts
    256
    Thanks
    1
    Thanked 21 Times in 21 Posts

    Default

    Well since that topic was made 5 years ago it's a little outdated on php function. I would get rid of this line.
    PHP Code:
    $_POST['comment'] = addslashes($_POST['comment']); 
    and change the query string to this.
    PHP Code:
    mysql_query("INSERT INTO `testimonials`
      (`name`,`email`,`text`,`norp`,`date`) VALUES ('"
    mysql_real_escape_string($_POST['name'])."', '".mysql_real_escape_string($_POST['email'])."', '".mysql_real_escape_string($_POST['comment'])."', '".mysql_real_escape_string($_POST['norp'])."', '".time()."')")or die("MySQL Error!<br>(".mysql_error().")<br>Could not proceed");
      
    header("Location: ".$_SERVER['PHP_SELF']); 
    That will do normal SQL injection prevention.
    You never know everything, I learn everyday!

  3. #3
    Join Date
    May 2012
    Posts
    217
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    Hi I have made the changes you mentioned fastsol1 and hopefully will be ok, not sure how to test it though against sql injections but sure will be ok

    Thank you appreciate it

    Kind regards

    Ian

    Quote Originally Posted by fastsol1 View Post
    Well since that topic was made 5 years ago it's a little outdated on php function. I would get rid of this line.
    PHP Code:
    $_POST['comment'] = addslashes($_POST['comment']); 
    and change the query string to this.
    PHP Code:
    mysql_query("INSERT INTO `testimonials`
      (`name`,`email`,`text`,`norp`,`date`) VALUES ('"
    mysql_real_escape_string($_POST['name'])."', '".mysql_real_escape_string($_POST['email'])."', '".mysql_real_escape_string($_POST['comment'])."', '".mysql_real_escape_string($_POST['norp'])."', '".time()."')")or die("MySQL Error!<br>(".mysql_error().")<br>Could not proceed");
      
    header("Location: ".$_SERVER['PHP_SELF']); 
    That will do normal SQL injection prevention.

Similar Threads

  1. Resolved Feedback Form
    By kaos in forum HTML
    Replies: 2
    Last Post: 08-23-2009, 12:58 AM
  2. *Secure* PHP form script?
    By jlizarraga in forum PHP
    Replies: 3
    Last Post: 05-15-2009, 12:36 AM
  3. Secure Online Form
    By Drewsterritz in forum HTML
    Replies: 2
    Last Post: 09-08-2008, 09:30 PM
  4. PHP form secure
    By Jerome in forum PHP
    Replies: 3
    Last Post: 08-29-2008, 06:39 PM
  5. message form/feedback form html code
    By hyebaragi in forum Looking for such a script or service
    Replies: 1
    Last Post: 08-11-2007, 01:30 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •