09-13-2003, 08:19 PM

I have a simple xhtml page with a form asking for the user's first name, last name, email address and phone number. The form submits its data to 'database.php' which is a simple php script that adds the given data to the table 'entries' in the database 'one'.

At the moment, it's nothing more than that. In the php page I open the connection to the mysql server through a separate script in a subdirectory which will eventually be protected with htaccess.

Security is of extreme importance in this situation. What measures can I take to prevent a malicious user entering a set of commands that will close the query and give them full access to my database (eg entering a single/double quote and a ')' to terminate the running command)?

09-14-2003, 05:21 AM

Verify all data. and what I would do is post to your original page and then send them to a different page saying thank you.

For you login data, make sure that file is kept outside of the web directories that way a person can not access it through the web.. only through ftp, ssh, etc but then they have to have the password.. if they get the password then it really does not matter what kind of security you do..

Try urlencoding and urldecoding.. try stripslashes, try addslashes..

I put all my data into single quotes.. even those that are just numbers..

I do remove the slashes and then add my own slashes to the data.. that should take care of all yoru problems

09-14-2003, 05:22 AM

Oh hey Muso.. where in NZ are you? I was and am still thinking of moving there.. i absolutely love the people! the land! everything.. just trying to convince my fianceé is hard

09-14-2003, 05:25 AM

You mean post to PHP_SELF() or whatever, and have the database script in the same file?

Do single quotes prevent mySQL commands being entered? I think the only way I could even get the form data into the database was to use something like:
insert into table values('$first_name', '$last_name')
Is that secure, if I use stripslashes with it?

09-14-2003, 05:28 AM

Check your private messages

09-14-2003, 06:05 AM

Yeah I mean using PHP_SELF.. try to make sure and use the new global variables though.. so $_SERVER['PHP_SELF'] and $_POST['firstname'] etc etc And actually you wont need to do anything to that input because it should automatically add slashes to your incoming data..

So let's say $_POST['lastname'] was O'Connel then it would actually be O\'Connel which escapes the apostrophe.. and tells mysql to not use it as part of the sql statement.. that it's actually part of the value..

So something like this:

INSERT INTO tablename VALUES ('{$_POST['firstname']}', '{$_POST['lastname']}');

As you can see, surrounding the variables are single quotes.. now since the data within will have their single quotes escaped.. it shouldnt matter what kind of stuff someone puts in the fields.. they shouldnt be able to add any damaging code, without it throwing up an error.