Page 1 of 1

PHP forms and MySQL databases

Posted: Thu Jun 08, 2006 4:29 pm
by JWFTrigger
Hello,
A while back, I had created various site-management scripts that at their simplest let an administrator post and edit news, and at their most complicated let users, all with individual usernames and passwords, edit their profiles and send messages. Well, soon enough, I noticed that in all the sites I had like this, PHPMyAdmin would fill up with random databases. None of them had any tables, but it was disturbing nonetheless. Eventually, one of the sites running a script was contacted by our host, who said that spammers were exploiting the scripts on the site. I assume that all this was due to security flaws exposed through my ignorance in coding, but I'd love to figure out exactly what I was doing wrong so that I can go on coding.
Thanks for your help!

Posted: Thu Jun 08, 2006 4:51 pm
by daedalus__
mysql_real_escape_string()

I don't want to be rude, but RTFM, man.

Posted: Thu Jun 08, 2006 4:58 pm
by JWFTrigger
Like I said, I'm ignorant (I had to look up RTFM on Google :D )

Anyway, thanks for your help... I'm still a little confused on where to use that particular function. Do I need to use it for every variable being submitted/editted? Would it be possible to show me an example using the script I posted?

Posted: Thu Jun 08, 2006 7:03 pm
by daedalus__
Escape all variables where the data can come from the user.

Example: http://www.php.net/mysql_real_escape_string

Posted: Thu Jun 08, 2006 8:12 pm
by MrPotatoes
oh <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> i'm in someone's signature. sweet

*nevermind me*

Posted: Fri Jun 09, 2006 11:14 am
by daedalus__
smurfs, and that quote, are smurftastic.

Posted: Sat Jun 10, 2006 9:18 pm
by bdlang
JWFTrigger wrote:Like I said, I'm ignorant (I had to look up RTFM on Google :D )
Holy S**t that's funny. Not that I think you're ignorant nor am I laughing at you, that's just the most perfect thing I've read in awhile.

Anyway, thanks for your help... I'm still a little confused on where to use that particular function. Do I need to use it for every variable being submitted/editted? Would it be possible to show me an example using the script I posted?
As other's have mentioned, the examples can be found in the PHP manual. I literally read the PHP manual on a daily basis, looking up functions or PHP internal info, and I've been coding PHP for 5 years give or take. RTFM indeed. ;)