Need Your Advice!

I want to let people submit information about their businesses to one of my web sites. I know the basics of how to do this with PHP: I will build a form and have the information be inserted into my database when 'Submit' is hit. However, what I don't know is:

• what kinds of security precautions I will need to take to prevent people and bots from abusing the system
• and how I can automate the process of reviewing the submitted information and generating a page for it

Any suggestions will be appreciated.

 

You can add a Captcha to Stop Bots and What do u want the information that is being input to do just pm me with more details

 

When someone submits his/her information, I want to be able to review it before allowing it to appear on my site. I want the page on which it will appear to be generated automatically; I don't want to have to stick it on a page myself. Is that possible with PHP?

 

You can set up a database where you will store businesses contact info.

By default all new submission will be added to the database as unverified, giving you the choice to APPROVE/EDIT/DELETE them from the administration (password protected) area as you wish

Only verified (approved) submission will be visible to visitors.

You can implement different levels of spam security, the most known are:
* Captcha Image (Completely Automated Public Turing test to tell Computers and Humans Apart)
* Setting limits: x submission per session or per IP...
* Accept only paid submissions (lol)

...

 

Take precautions for XSS and SQL injection attacks.

 

Thanks, Nabil. One rep point for you.

I think I know a way in which I can approve/disapprove the submissions. What I don't understand is how the pages will be generated automatically. Is that possible with PHP?

 

Of course, but I don't think I understand which part of the process is unclear.

In a nutshell, though:

1) Your web site displays a directory of businesses, retrieved from the database, only including those items marked as "approved".

2) Some people submit their information through your form.

3) It gets stored in the database (remember buldozerceto's caution about XSS and SQL injection) and marked as "unapproved".

4) Your web site sends you an email to let you know that someone has submitted a new listing. Or you can just have the new listings appear on a special page for your eyes only.

5) You view the listing and take one of four actions:

5a. Delete it because it's spam or useless.
5b. Approve it, which updates the database to mark it as "approved".
5c. Edit it and then approve it.
5d. Ignore it for now, so it remains marked as "unapproved".

Presto, that's all there is to it.

 

Thanks, SmallPotatoes!

I fully understand the approval/disapproval part now. Put simply, I will have a column named Approve or something like that, which I will leave NULL to disapprove, or enter a value to approve. And in my SELECT query, I will have a '. . . WHERE approve IS NOT NULL' command.

However, that will only work on a directory-type page, where many businesses appear together. I want each business's information to also appear on a page of its own. Can these pages be generated automatically with PHP?

 

Sure. Each page in the directory will link to the individual business' profile page, with a URL like "business-profile.php?id=6549". Then business-profile.php just does something like this:

$id = intval($_GET['id']);
if (!$id)
   my_404_function();
$sql = "select * from business where id = {$id}";
$st = mysql_query($sql) or die(mysql_error());
if (!mysql_num_rows($st))
   my_404_function();
$row = mysql_fetch_assoc($st);
echo "<p>Business name: {$row['name']}
   <br>Address: {$row['address']}
   <br>Phone: {$row['phone']}</p>";

Code (markup):

 

SmallPotatoes, I now understand it clearly. Thank you very much!

Right now, all of the businesses appear together in a directory, as a list. I also create a Description page, one for each individual business. This means that, if I want to change how the description pages look, I have to go through every single one and make the adjustments. If I had done it the way you just specified, I would only need to change one page when I want a modification.

The thing is, if I done it the way you just specified, my site would only consist of a few pages (I'm talking about the actual number of files uploaded to my server). Is that bad for the search engines? Will all businesses' individual description pages be indexed?

 

These days I don't think it makes much difference from a SEO perspective, at least not with Google. Google will crawl anything that looks like it has content on it, and is not easily daunted by ?id=blahblah stuff.

Nevertheless you can create more distinctive URLs for each profile page if you'd like. In your .htaccess file you can include this:

RewriteEngine On
RewriteRule ^business-profile-([0-9]+).php business-profile.php?id=$1

Code (markup):

And then you will be able to use links that look like this:

business-profile-241.php

Code (markup):

You could even add another field to the database for alpha URL code (e.g., "main_street_music" and use that instead of the ID number (e.g., "business-profile-main_street_music.php". And you could use .html instead of .php at the end of your URLs. Or no extension at all. At the end of the day, you have total control of how your pages and URLs look, and nobody on the outside (neither human nor search engine) has to know what your underlying back-end structure is.