Simple 4 field form on public facing website

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
steppinthrax
Forum Newbie
Posts: 4
Joined: Thu Mar 11, 2010 3:02 pm

Simple 4 field form on public facing website

Post by steppinthrax »

Are there any speical considerations I need to take for a very simple 4 field form that captures Name, Email, Message Area (400 chars). When a user hits submit it sends the data a table in a database. This data is filtered using htmlspecialchars() and mysqli_real_escape_string()

Thank You
freelance84
Forum Newbie
Posts: 8
Joined: Thu Apr 29, 2010 6:32 pm

Re: Simple 4 field form on public facing website

Post by freelance84 »

This is another pretty secure way of taking user input to a MySQL table I recently learnt:

Code: Select all

<?php
require 'login.php';

$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($db_database)
   or die("Unable to select database: " . mysql_error());

$query = 'PREPARE statement FROM "INSERT INTO classics
   VALUES(?,?,?,?,?)"';
mysql_query($query);

$query = 'SET @author = "Emily Brontë",' .
       '@title = "Wuthering Heights",' .
       '@category = "Classic Fiction",' .
       '@year = "1847",' .
       '@isbn = "9780553212587"';
mysql_query($query);

$query = 'EXECUTE statement USING @author,@title,@category,@year,@isbn';
mysql_query($query);

$query = 'DEALLOCATE PREPARE statement';
mysql_query($query);
?>
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Simple 4 field form on public facing website

Post by kaisellgren »

It is not necessary to run htmlspecialchars() when inserting data into the database. You just need to take care of escaping. It would be better if you used prepared statements instead of escaping.

@freelance84, you still need to escape those values that go to the SET -clause.
Post Reply