Hello, I'm looking to build a simple script where users input their URL and it displays it on my frontpage when selecting the URL from a MySQL database, i want to make the form secure for a start to stop SQL injections and other security risks. I've searched Google for solutions and most seem good but i'd like someone to explain what security risks there are and how i should protect the mysql database information? I would also like to know how to select a specific ID, so when someone inserts their URL their URL is displayed on the main page, i want it so when the next person enters their URL the other persons URL is removed and the latest URL entered is displayed. Help apreciated +REP Thank you, Jamie Hann
empty table using this: mysql_query("TRUNCATE `table`"); Code (markup): then: mysql_query("INSERT INTO `table`(url) VALUES('$url')"); Code (markup): retrieve using this: $result = mysql_query("SELECT url FROM `table`"); $row = mysql_fetch_array($result); $url = $row['url']; echo $url; Code (markup):
I think using a database for this would be overkill. The functionality you're talking about can be accomplished by using a flat text file since you're only storing one record at a time. Since you'll just be displaying the files contents on the web page you'll need to make use regular expressions that can validate that the input is a URL (and not malicious javascript). A quick google search will yield the code you'll need. After you've got the validated input, use fopen to open the file for writing, write the new URL, and then fclose the file. Opening the file in write mode ( $fileHandle= fopen("/home/user/www/url.txt", "w") ) will delete the files contents before writing. And to display the URL on your site, just use fread. You'll save a lot of system resources by skipping the database.
I would protect the processing side with addslashes(htmlentities(mysql_real_escape_string($_POST['yourinput']))) For getting last it use mysql_insert_id() function which returns last inserted id
Hello Jamie, If your requirement is just the URL input then I would suggest you use flat text file over database as suggested by w0tan. Input field validation can be done by regular expressions. Database option is not required at all for such a small task. But its your will if you want to go database way. Regards, Gonzo
Hey guys thank you for the replies... would you say use a flat file if i have another bit of information i want the user to be able to input also? Such as a description for their site? Thank you, Jamie
Flat text files are only used for basic dumping and retrieving of data. Your initial requirement was a single input (URL) and you want to add description as well. If it is a single record in a text file "Yes" you can still stick for flat file option else for more complex and efficient usage switch to database option. Regards, Gonzo
Absolutely. To do that, just write the data to the file in the form of: URL|description and then when you read in the file, you can use the explode function to seperate the line of text into two different variables, like so list($url, $description) = explode('|', $dataFromFile); Code (markup): from there, you can print out the url and description however you'd like. best of luck