how to protect php order form

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
donny
Forum Contributor
Posts: 179
Joined: Mon Aug 11, 2014 11:18 am

how to protect php order form

Post by donny »

hello,

i made my own order form system..
it multiple forms adding/changing/deleting data in multiple databases depending on what the user does to his order.
i made it with very little php knowledge.
i don't see it being targeted to "attacks" because it is a small website but i would like to know if somebody can tell me pretty good ways for someone like me to add protection to my form. like sqlinjections and since its a multiple page form order form if anyone can tell me good ways to make sure the user has been to the right pages before they get to a further one.. for example i don't want them to be able to skip over any pages. i am not sure how that would be even possible but just want to prevent it so there won't be any database errors from accidents.

thank you.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: how to protect php order form

Post by Celauran »

The easiest way to prevent SQL injection is to use prepared statements. Stay away from mysql_ functions and take the time to learn PDO. It's really not difficult. You can also add a token to your form via some hidden field. Store the token on the server, say in a session, and compare the two values when the form is submitted. That will help protected against XSRF. How to prevent users from skipping steps would really depend on how the form is laid out and what is required where. If there are required fields on each page, I supposed you could check the the existence of them in the data stored so far and redirect if anything is missing.
Post Reply