Posted by Rik on 08/05/07 03:07

On Sun, 05 Aug 2007 05:01:54 +0200, zach <wackzingo@gmail.com> wrote:

> I created a comment form which will inserts the comments into a databa=
se =

> and displays them immediately. I want to make sure that its safe from =
=

> users inserting unwanted data into the database or executing queries.
>
> Here's my php code, is this done right? Is there anything else I shoul=
d =

> to to make it more secure?
>
>
>
> $handle =3D mysql_connect($host,$user,$password) or die ('Sorry, looks=
=

> like an error occurred.');
>
> $sql =3D "INSERT INTO comments (id, comment, name, quotekey) VALUES (N=
ULL, =

> '$comment', '$name', '$key')";
>
> mysql_real_escape_string($sql);

You've got the point backwards....

$sql =3D "INSERT INTO comments (id, comment, name, quotekey) VALUES (NUL=
L, =

'";
$sql .=3D mysql_real_escape_string($comment);
$sql .=3D "', '";
$sql .=3D mysql_real_escape_string($name);
$sql .=3D "', '";
$sql .=3D mysql_real_escape_string($key);
$sql .=3D "')";

Else, the 'delimiters' (the quotes) for your string will have been escap=
ed =

too.

Where do $comment,$name & $key come from BTW? I hope you;re not relying =
on =

register_globals.....

> mysql_select_db($database);
>
> mysql_query($sql);
>
> mysql_close($handle);

Is normally done automatically on the end of the request, but as long as=
=

you;re finished with the database for the request a good thing to do.

-- =

Rik Wasmus

[Back to original message]