|
|
Posted by Rik on 08/05/07 03:07
On Sun, 05 Aug 2007 05:01:54 +0200, zach <wackzingo@gmail.com> wrote:
> I created a comment form which will inserts the comments into a databa=
se =
> and displays them immediately. I want to make sure that its safe from =
=
> users inserting unwanted data into the database or executing queries.
>
> Here's my php code, is this done right? Is there anything else I shoul=
d =
> to to make it more secure?
>
>
>
> $handle =3D mysql_connect($host,$user,$password) or die ('Sorry, looks=
=
> like an error occurred.');
>
> $sql =3D "INSERT INTO comments (id, comment, name, quotekey) VALUES (N=
ULL, =
> '$comment', '$name', '$key')";
>
> mysql_real_escape_string($sql);
You've got the point backwards....
$sql =3D "INSERT INTO comments (id, comment, name, quotekey) VALUES (NUL=
L, =
'";
$sql .=3D mysql_real_escape_string($comment);
$sql .=3D "', '";
$sql .=3D mysql_real_escape_string($name);
$sql .=3D "', '";
$sql .=3D mysql_real_escape_string($key);
$sql .=3D "')";
Else, the 'delimiters' (the quotes) for your string will have been escap=
ed =
too.
Where do $comment,$name & $key come from BTW? I hope you;re not relying =
on =
register_globals.....
> mysql_select_db($database);
>
> mysql_query($sql);
>
> mysql_close($handle);
Is normally done automatically on the end of the request, but as long as=
=
you;re finished with the database for the request a good thing to do.
-- =
Rik Wasmus
Navigation:
[Reply to this message]
|