SitePoint Sponsor |
|
User Tag List
Results 1 to 3 of 3
-
Sep 10, 2009, 04:44 #1
- Join Date
- Jan 2007
- Posts
- 92
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
This is my "Update posted form-input values to MySql" -script
I made something.. do you dare to see it? LOL!
The purpose of this Script is to include Security-check to a Form quickly and easily.
I didn't include any messages, JavaScript, CSS or etc in this script. I only wish to know is this script Secure or not!
There is only two kind of value check's for now: "empty" and "digits".
This is my 1st. time I do any "form-secure" -scripts, so I don't recommend You use this script before someone Wiser says if it's ok!
Well, here goes, have fun!
PHP Code:<?php
// form.php
/*
First I made an array for every type of value-check.
The input names what need's to be checked are defined in arrays.
The value 1 is for JS! I don´t include JS-code, because it's off-topic and I'm sure this confuses You enough! :D
$empty = No empty values
$digits = Only numbers 0-9 */
$empty[input1] = "1"; // input1 value is checked is it empty
$digits[input2] = "1"; // input2 value is checked is it digit
$digits[input3] = "1"; // input3 value is checked is it digit
$digits[input4] = "1"; // input4 value is checked is it digit
?>
<form action="update_mysql.php" method="post">
<input type="text" name="input1" value="$_POST['input1']" />
<input type="text" name="input2" value="$_POST['input2']" />
<input type="text" name="input3" value="$_POST['input3']" />
<input type="text" name="input4" value="$_POST['input4']" />
</form>
PHP Code:<?php
// update_mysql.php
/*
Then I found this function ´to_entity´ what replaces characters ' " < > to entity numbers.
I use this function ONLY when input value is invalid and send back to form.
This function purpose is prevent html-code-brake, eg, if user have input value: ">
I don't know does I need to convert more characters than ", ', <, > to make this function to work perfect...?
You can't see the entity codes (in $replace array), because your web-browser probably converts the entities! To see, check page's source-code. */
function to_entity($string) {
$string = stripslashes($string);
$search = array('"', "'", "<", ">",);
$replace = array(""", "'", "<", ">"); // ' This are Entities even You may not see it! :P
return strtr($string, convertArray($search, $replace));
}
function convertArray($search, $replace) {
$return = array();
foreach ($search as $key=>$val) {
$return[$val] = $replace[$key];
}
return $return;
}
/*
Then the $empty and $digits -arrays are looped trough:
If the input value is incorrect -> run ´to_entity´ -function and send converted value back to form.
If the input value is correct -> run ´secure´ -function and update MySql. */
// No empty values
if (isset($empty)) {
foreach($empty as $input => $value)
{
unset($err);
if ($_POST[$input] == "") { $err = 1; } else { $err = 0; }
}
}
// Only digits 0-9
if (isset($digits)) {
foreach($digits as $input => $value)
{
unset($err);
if ($_POST[$input] != "" and !preg_match('/^\d+$/', $_POST[$input])) { $err = 1; } else { $err = 0; }
if ($err == 1) {
$_POST[$input] = to_entity($_POST[$input]);
}
}
}
/*
If we have only corrent values (I Hope!), then we update MySql safely (I Hope!) :D */
if ($err != 1)
{
function secure($value) {
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value)) {
$value = mysql_real_escape_string($value);
}
return $value;
}
// Loop through POST variables
foreach($_POST as $input => $value) {
$_POST[$input] = secure($value);
}
// MySql Update
mysqli_query("UPDATE mysql_table SET
cell1 = '$_POST['input1']',
cell2 = '$_POST['input2']',
cell3 = '$_POST['input3']',
cell4 = '$_POST['input4']'
WHERE id='1';") or die (mysql_error());
}
?>
-
Sep 10, 2009, 06:44 #2
- Join Date
- Apr 2009
- Location
- South Florida
- Posts
- 187
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I would run through mysql_real_escape_string before putting any client data in a SQL statement
mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement
http://us2.php.net/manual/en/functio...ape-string.php
-
Sep 10, 2009, 07:12 #3
- Join Date
- Jan 2007
- Posts
- 92
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Bookmarks