Securing a form field
Posted: Sun Aug 10, 2008 4:29 am
Hi,
I’m querying a database from a form field containing a user submitted numeric value to see if this number exists. If it dose then let the user know it’s valid and if not then tell same.
My question is what sort of security should I use? I’m somewhat new still to PHP but wanted to build this script myself. So far my form simply uses this field to input the data.
And I’m querying the database using this:
So to secure this I’m using trim and strip_tags and was wondering what else I should use? I’ve read about Magic Quotes in the manual (difficult for a beginner) and was planning on adding these too however there is a little conflict about PHP 6 discouraging their use. I know that PHP 5 etc will be around for sometime but would welcome views/help on how to add magic quotes to the above.
Any pointers as to what I should use overall to secure this would be great.
Thanks
I’m querying a database from a form field containing a user submitted numeric value to see if this number exists. If it dose then let the user know it’s valid and if not then tell same.
My question is what sort of security should I use? I’m somewhat new still to PHP but wanted to build this script myself. So far my form simply uses this field to input the data.
Code: Select all
<input type="text" name="v_number_1" value="<?php if (isset($_POST['v_number_1'])) echo $_POST['v_number_1'];?>" size="32">Code: Select all
if (isset($_POST['v_number_1'])){
($voucher_1 = $_POST['v_number_1']);
mysql_select_db($database_*****, $***);
$query_GetVouchers1 = "SELECT * FROM vouchers WHERE v_number = '$voucher_1'";
$GetVouchers1 = mysql_query($query_GetVouchers1, $***) or die(mysql_error());
$row_GetVouchers1 = mysql_fetch_assoc($GetVouchers1);
$totalRows_GetVouchers1 = mysql_num_rows($GetVouchers1);
}Any pointers as to what I should use overall to secure this would be great.
Thanks