WeLoveCSS Logo
Home Profile Members Search Rules Help New Posts



WeLoveCSS > PROGRAMMING LANGUAGES > Scripting and Server Side > need to secure a PHP feedback form

Reply
  Thread Tools Display Modes
Old 15th September 13, 04:27 PM   #1
ianhaney
WLC Lover
 
Join Date: Jun 2012
Posts: 78
Default need to secure a PHP feedback form

Hi

I need to secure a feedback form that automatically adds testimonials to a webpage

I need to prevent it against SQL injections and attacks etc

To be honest am not 100% on PHP so was just seeing if anyone could point me in the right direction on how to do it

I have the coding if anyone needs to see, can PM it etc

Kind regards

Ian
ianhaney is offline   Reply With Quote
Old 16th September 13, 12:50 AM   #2
meesa
WLC Mod
 
meesa's Avatar
 
Join Date: Jul 2009
Location: Milky Way Galaxy
Posts: 3,710
Default Re: need to secure a PHP feedback form

I've always just used MySQL_real_escape_string().
__________________
Praise be to the Lord God for the ability to learn, the capability to analyze, and the time to help users on this forum.
meesa is offline   Reply With Quote
Old 17th September 13, 11:50 AM   #3
LearningCoder
WLC Lover
 
LearningCoder's Avatar
 
Join Date: Jan 2011
Location: England
Posts: 115
Default Re: need to secure a PHP feedback form

Alrite Ian, how's it going mate?

In SQL, you can use something called prepared statements.

Here is one I use to simply process a contact form:
Code:
<?php
require("set_vars.php");

$conn = new mysqli($host,$user,$pass,$db) or die("Error creating connection.");

$stmt = $conn->prepare("INSERT INTO enquiries (name,email,phone,user_comments,product_name,product_ref,product_comments,service_name,service_comments) VALUES (?,?,?,?,?,?,?,?,?)");
$stmt->bind_param("sssssssss",$_POST['name'],$_POST['email'],$_POST['phone'],$_POST['user_comments'],$_POST['product_options'],$_POST['product_ref'],$_POST['product_comments'],$_POST['service_options'],$_POST['service_comments']);
$stmt->execute();
$stmt->store_result();
$row = $stmt->affected_rows;

?>
There is no need to escape any data whatsoever because of the way prepared statements work. Just make sure when/if displaying any user input back to the client you use htmlspecialchars() in case they've attempted to insert some scripting.

Kind regards,

LC.
LearningCoder is offline   Reply With Quote
Reply


Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:46 AM.



Home | Advertise | Contact Us | Top
Home | Advertise | Contact Us | Top

Copyrightę 2006 WeLoveCSS.com. All Rights Reserved.
Powered by vBulletin Version 3.8.4 Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.