Are there any speical considerations I need to take for a very simple 4 field form that captures Name, Email, Message Area (400 chars). When a user hits submit it sends the data a table in a database. This data is filtered using htmlspecialchars() and mysqli_real_escape_string()
Thank You
Simple 4 field form on public facing website
Moderator: General Moderators
-
steppinthrax
- Forum Newbie
- Posts: 4
- Joined: Thu Mar 11, 2010 3:02 pm
-
freelance84
- Forum Newbie
- Posts: 8
- Joined: Thu Apr 29, 2010 6:32 pm
Re: Simple 4 field form on public facing website
This is another pretty secure way of taking user input to a MySQL table I recently learnt:
Code: Select all
<?php
require 'login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($db_database)
or die("Unable to select database: " . mysql_error());
$query = 'PREPARE statement FROM "INSERT INTO classics
VALUES(?,?,?,?,?)"';
mysql_query($query);
$query = 'SET @author = "Emily Brontë",' .
'@title = "Wuthering Heights",' .
'@category = "Classic Fiction",' .
'@year = "1847",' .
'@isbn = "9780553212587"';
mysql_query($query);
$query = 'EXECUTE statement USING @author,@title,@category,@year,@isbn';
mysql_query($query);
$query = 'DEALLOCATE PREPARE statement';
mysql_query($query);
?>
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Simple 4 field form on public facing website
It is not necessary to run htmlspecialchars() when inserting data into the database. You just need to take care of escaping. It would be better if you used prepared statements instead of escaping.
@freelance84, you still need to escape those values that go to the SET -clause.
@freelance84, you still need to escape those values that go to the SET -clause.