Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

Is my security ok?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Is my security ok?

Postby SarahPie » Fri Sep 23, 2011 6:06 am

Hi everyone.
My name is Sarah, this is my first post, I hope you don't think that I am a total idiot but I am quite new to PHP and I am learning it in school.

I was wondering if someone could please give me a bit of advice about security. I have a simple form script that submits stuff to a database, and I just want to make sure that its protected and no one can do any damage.

I have read a lot about security, but I am not sure if I am doing it right, so could someone please let me know if I have made any mistakes?

Basically here is my code, for a simple form, where people type in their email address and a funny joke, and the joke and the email address goes to the database.

Please note, I am NOT validating the email address here, because it doesn't matter if a person puts in a real email address or a fake one.

What I need to know is Will this code stop any nasty stuff, or is there more I need to do?

Code: Select all
function check_input($data)
{   
   
   
   $data = trim($data);
   
    $data = stripslashes($data);
   
    $data = htmlspecialchars($data, ENT_QUOTES);

   
    return $data;
}

$email = mysql_real_escape_string($_POST['email']);
$joke = mysql_real_escape_string($_POST['joke']);

$email = check_input($email);
$joke = check_input($joke);

$sql="INSERT INTO vote_messages (email, msg) VALUES ('$email','$joke')";


Thank you so much to anyone who can advise a newbie.
Sarah
SarahPie
New php-forum User
New php-forum User
 
Posts: 1
Joined: Fri Sep 23, 2011 4:09 am

Re: Is my security ok?

Postby Nullsig » Mon Sep 26, 2011 9:50 am

no it won't

You have the right idea but you call mysql_real_escape_string and then strip out all the slashes it just added.

You should remove the call for stripslashes. That will get you exactly where you want to go.

You also don't technically need the htmlspecialchars call but that's more of a personal preference.
User avatar
Nullsig
php-forum Fan User
php-forum Fan User
 
Posts: 981
Joined: Thu Feb 17, 2011 6:52 am
Location: Racine, WI

Re: Is my security ok?

Postby egami » Mon Sep 26, 2011 10:03 am

This right here should do you the trick.

Code: Select all


$variable 
trim(strip_tags(mysql_real_escape_string($_POST['variable'])));

 
User avatar
egami
php-forum GURU
php-forum GURU
 
Posts: 2197
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.