Page 1 of 1
Simple 4 field form on public facing website
Posted: Thu Apr 29, 2010 6:07 pm
by steppinthrax
Are there any speical considerations I need to take for a very simple 4 field form that captures Name, Email, Message Area (400 chars). When a user hits submit it sends the data a table in a database. This data is filtered using htmlspecialchars() and mysqli_real_escape_string()
Thank You
Re: Simple 4 field form on public facing website
Posted: Thu Apr 29, 2010 6:56 pm
by freelance84
This is another pretty secure way of taking user input to a MySQL table I recently learnt:
Code: Select all
<?php
require 'login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($db_database)
or die("Unable to select database: " . mysql_error());
$query = 'PREPARE statement FROM "INSERT INTO classics
VALUES(?,?,?,?,?)"';
mysql_query($query);
$query = 'SET @author = "Emily Brontë",' .
'@title = "Wuthering Heights",' .
'@category = "Classic Fiction",' .
'@year = "1847",' .
'@isbn = "9780553212587"';
mysql_query($query);
$query = 'EXECUTE statement USING @author,@title,@category,@year,@isbn';
mysql_query($query);
$query = 'DEALLOCATE PREPARE statement';
mysql_query($query);
?>
Re: Simple 4 field form on public facing website
Posted: Sun May 09, 2010 2:49 am
by kaisellgren
It is not necessary to run htmlspecialchars() when inserting data into the database. You just need to take care of escaping. It would be better if you used prepared statements instead of escaping.
@freelance84, you still need to escape those values that go to the SET -clause.