Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

PHP - data validation

  1. Home
  2. Forum
  3. Programming
  4. PHP - data validation

ghost's Avatar

ghost

0 0

I use this code on my site and I need help with data validation, like some clue how to do it and is this code secureā€¦

html form: <html> <table><tr><td><h4>URL Submit: </h4></td> <td><form action="insert.php" method="post"> Email: <input type="text" name="email" /> Url: <input type="text" name="url" value="http://" /> <input type="submit" value="Send" /> </form></td></tr> </table> </html>

insert.php: <?php $con = mysql_connect("localhost","username","password"); if (!$con) { die('Could not connect: ' . mysql_error()); }mysql_select_db("somesite_com_data", $con);$sql="INSERT INTO info (Url, Email) VALUES ('$_POST[email]','$_POST[url]')";if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "Your Site will be reviewed, Thankyou."; echo ' <a href="http://somesite.com/">Click Here to go back.</a>'; mysql_close($con) ?>


webspider's Avatar

webspider

Member
0 0

Ever heard something of SQL injection? Escape each user input before inserting it in your database with mysql_real_escape_string($yourvar) if the magic quotes are deactivated. And turn error messages off if possible after launching your site.


Mr_Cheese's Avatar

Mr_Cheese

0 1

for validation you want to read a bit on string handling.

head over to php.net and read up eregi, strstr, preg_match, str_replace etc etc etc.

webspider is right. that code is very much insecure depending on magic_quotes, use mysql_escape_string as he suggested. I made a nice post in the Increasing Security category a while back that highlighted the differences and advantaged between addslashes() and mysql_escape_string(). It's worth a read.