ok ive done this newsletter script now i was wondering if there was any ways i could possibly clean up this code, and i was also wondering if it was vulnerable to some sql injections, as im not to experienced. thanks <?php $host=""; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name=""; // Database name $tbl_name="l"; // Table name ?> <?php if (!isset($_POST['name']) || trim($_POST['name']) == "" ) { echo "please enter a name"; } else if (!isset($_POST['lastname']) || trim($_POST['lastname']) =="") { echo "please enter a Last Name"; } else if (!isset($_POST['email']) || trim($_POST['email']) =="") { echo "please enter a Email Address"; } else { // Connect to server and select database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Get values from form $name=$_POST['name']; $lastname=$_POST['lastname']; $email=$_POST['email']; // Insert data into mysql $sql="INSERT INTO $tbl_name(name, lastname, email)VALUES('$name', '$lastname', '$email')"; $result=mysql_query($sql); echo " Thanks $name your infomation has been submitted "; } ?> PHP:
This application may be vulnerable to SQL injections . . . but this is quickly corrected if you just sanitize your user input. Check out the following functions strip_tags(), htmlspecialchars(), mysql_escape_string(), stripslashes() (google for more . . . on a side note, the last one is best used for displaying ) You may also consider providing more detailed information about mysql errors. Append 'or die(mysql_errro())' (no quotes) to your SQL queries. Hope that helps