Page 1 of 1

same php feed back form

Posted: Tue Jun 16, 2009 6:09 pm
by pearjam
So I've gotten this far... lol

I'm currently trying to add form protection to the code, but I'm having a hard time fitting the examples I'm finding on the web into it.

I'm also finding out that it's a poor way to set it up. I'm aiming to be minimal and streamlined or optimized.

So I'm open to suggestions on both!

(ps: If you just post "call a table=/page" or whatever, I'm not going to know what you mean.)



Here is the processing on the "thank you" page:

Code: Select all

<?php
$connect = mysql_connect("localhost","root","xxxxxx") or die(mysql_error());
mysql_select_db("feedback") or die(mysql_error());
$_POST = array_map('mysql_real_escape_string', $_POST);
$time = date("[d My]");
$sql = "INSERT INTO `{$_POST['table']}` (time, site, name, comment) VALUES('$time', '{$_POST['site']}', '{$_POST['name']}', '{$_POST['comment']}')";
mysql_query($sql) or die(did not update);
$ref = $_SERVER['HTTP_REFERER'];
header( 'refresh: 01; url='.$ref);
mysql_close($connect);
?>

Here is the form page that submits it, and displays it:

Code: Select all

<?php
$connect = mysql_connect("localhost","root","xxxxxxxxx") or die(mysql_error());
mysql_select_db("feedback") or die(mysql_error());
$result = mysql_query("SELECT * FROM main");
while($row = mysql_fetch_array($result))
  {
  echo $row['time'] . "&nbsp;" . $row['name'] . "&nbsp;" . $row['site'] . "<br /><i>" . $row['comment'] . "</i><br /><br />";
  }
mysql_close($connect);
?>
<form action="process.php" method="post">
<input type="text" name="name" size="20" value="your name" style="border:0px;color:#A0A0A0;font-size:11px;" onFocus="this.value=''" /><br /><br />
<input type="text" name="site" size="20" value="your website" style="border:0px;color:#A0A0A0;font-size:11px;" onFocus="this.value=''" /><br /><br />
<textarea name="comment" rows="12" cols="19" style="border:0px;color:#A0A0A0;font-size:11px;" onFocus="this.value=''">your feedback</textarea><br />
<div align="right"><input type="submit" value="" /></div><!--end right-->
</form>

So - how can I add stuff like strip_tags() etc, and how can it be better optimized?

Re: same php feed back form

Posted: Tue Jun 16, 2009 9:09 pm
by yacahuma
have you try reading this
http://phpsec.org/projects/guide/2.html