Jump to content


Photo

What else do i need to this form?

Started by krstjern , Aug 18 2005 08:47 AM

  • Please log in to reply
6 replies to this topic

#1 krstjern

krstjern

    Young Padawan

  • Members
  • Pip
  • 10 posts

Posted 18 August 2005 - 08:47 AM

Hya, I'm making a comments system for my news page(for my site) and i have added some sequrity, but i want to know if theres something more i should add?

Here is the code i have for checking at the momment:
if($_POST[name]=="") { die("Please insert name."); }
if($_POST[comment]=="") { die("Please insert a comment."); }
if(strlen($_POST[name])>30) { die("Name is too long."); }
if(strlen($_POST[email])>45) { die("Email too long."); }
if(strlen($_POST[comment])>200) { die("Comment is too long."); }
$name=$_POST[name];
$email=$_POST[email];
$comment=$_POST[comment];
$date=date('Y.m.d');
//First layer protection
$name=htmlspecialchars($name);
$email=htmlspecialchars($email);
$comment=htmlspecialchars($comment);
//Second Layer protection
$name = strip_tags($name);
$comment = strip_tags($comment);

I heard hacker could use some kind of code to destroy MYSQL? How can i prevent that?

Edited by krstjern, 18 August 2005 - 01:35 PM.

#2 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 18 August 2005 - 10:27 AM

Well, what are you going to do with all those variables? Send somebody an e-mail, or insert them in to a database of some kind (i.e. MySQL), etc...?

#3 krstjern

krstjern

    Young Padawan

  • Members
  • Pip
  • 10 posts

Posted 18 August 2005 - 01:36 PM

Well, i told that it was for a comments system, anyway: It's put into a MYSQL DB.

#4 Jaymz

Jaymz

    Retired P2L Staff

  • Members
  • PipPipPipPip
  • 4,104 posts

Posted 18 August 2005 - 01:38 PM

use addslashes() on the variables when sticking them in the db, and stripslashes() when pulling it out :)

#5 Av-

Av-

    I Feel Left Out

  • Members
  • PipPipPipPip
  • 1,972 posts
  • Gender:Male
  • Location:10 ft. below sea level

Posted 19 August 2005 - 05:06 AM

what do these strip and add slashes do?

#6 Jaymz

Jaymz

    Retired P2L Staff

  • Members
  • PipPipPipPip
  • 4,104 posts

Posted 19 August 2005 - 07:56 AM

what do these strip and add slashes do?

Add slashes turns

"Hello" this "is in quotations"

into

\"Hello\" this \"is in quotations\"

Rendering the quotes harmless (helping prevent SQL commands, etc.

Stripslashes removes them after pulling them back out so your text doesn't look wonky on the page ;)

#7 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 19 August 2005 - 06:50 PM

Note the fact that an answer to this can be found Here also.

In other words, check php.net for answers to what a function does before asking here. Even though Jaymz was right, you can find a little more info at php.net (i.e. what other characters get escaped+example code).

Well, i told that it was for a comments system, anyway: It's put into a MYSQL DB.

I still asked the question because it could have been an "e-mail me your comments about my site" script... or a simple forum-style comment system, there's no way we could've known without more of the script.
Back to Programming and General Web Design


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Pixel2Life Forum
  2. Help Section
  3. Programming and General Web Design