Simple Form Written in PHP

Discussion in 'PHP' started by miexl, Aug 11, 2009.

0
  1. #1
    hi,

    I have a form page (form1.php) and submit to same page also.
    In this page I also have a php code to connect to database to save the form data in the database. I just want to know if this page is safe from hacking.

    sample code is just like this 

    
<?
mysql_connect('localhost','sample_username','sample_password');
mysql_select_db('sample_database') or die('cannot connect'); 

if(isset($_POST['submit'])) {
  $query = mysql_query("INSERT INTO sample_table ('id','name') VALUES ('','$_POST[name]')");
}

<form name="sample" action="" method="post'>
<input type="text" value="name" />
<input type="submit" value="submit" />
</form>
    Code (markup):
    is the code safe from hackers?
    what's the possible attack?
    and also i only use functions for big queries instead of a class with functions.
    need your opinion guys
     
    miexl, Aug 11, 2009 IP
  2. joxtechnology

    joxtechnology Peon

    Messages:
    146
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #2
    you can use mysql_real_escape_string() to protect it from sql injection
     
    joxtechnology, Aug 11, 2009 IP
  3. codedeep

    codedeep Peon

    Messages:
    136
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    true, disconnect from db after each query
     
    codedeep, Aug 11, 2009 IP
  4. miexl

    miexl Member

    Messages:
    165
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    28
    #4
    where can i put mysql_close()? at the end most part of the page?
     
    miexl, Aug 11, 2009 IP
  5. codedeep

    codedeep Peon

    Messages:
    136
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    If you are developing pure PHP I suppose you should create PHP - mysql connection class :
    http://glurt.com/php-mysql-connection-class

    the very first function function query_db($query) will connect, read query and disconnect from database.

    If you want to start developing serious applications, use zend framework, it's a paradise when you are working with mysql. The better OS is linux ubuntu for it.
     
    codedeep, Aug 11, 2009 IP
  6. Sky AK47

    Sky AK47 Member

    Messages:
    298
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    45
    #6
    ^Your just complicating it more for her and using a class for MySQL has always been trash in my eyes.
    Also you don't need to close the MySQL connection at every end of the page, PHP does this by default.

    Using mysql_real_escape_string is in most cases enough, but you could use a little function to spice it up:
    function clean($x){
		
		$x = strip_tags($x);
		$x = trim($x);
		$x = preg_replace("/ /i", "", $x);
		$x = mysql_real_escape_string($x);
		RETURN $x;
		
	}
    PHP:
     
    Sky AK47, Aug 11, 2009 IP
  7. codedeep

    codedeep Peon

    Messages:
    136
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    PHP does it by default, but you should code by accepted world wide rules.
    Every error / lack of code or understanding makes your website unprofessional fancy looking code and exposed to hackers and lamers. You should follow software security ISO in time of developing any application at any language.

     
    codedeep, Aug 11, 2009 IP
  8. Sky AK47

    Sky AK47 Member

    Messages:
    298
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    45
    #8
    Yes, I didn't say anything about errors or lack of code, mysql_close is not necessary as every host has this by default. And if there are exceptions, these hosts suck.
     
    Sky AK47, Aug 11, 2009 IP
  9. astrazone

    astrazone Member

    Messages:
    358
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    33
    #9
    astrazone, Aug 11, 2009 IP