SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Enthusiast
    Join Date
    Jan 2007
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Talking This is my "Update posted form-input values to MySql" -script

    I made something.. do you dare to see it? LOL!

    The purpose of this Script is to include Security-check to a Form quickly and easily.
    I didn't include any messages, JavaScript, CSS or etc in this script. I only wish to know is this script Secure or not!
    There is only two kind of value check's for now: "empty" and "digits".

    This is my 1st. time I do any "form-secure" -scripts, so I don't recommend You use this script before someone Wiser says if it's ok!

    Well, here goes, have fun!

    PHP Code:
    <?php
    // form.php

        /*
        First I made an array for every type of value-check.
        The input names what need's to be checked are defined in arrays.
        The value 1 is for JS! I don´t include JS-code, because it's off-topic and I'm sure this confuses You enough! :D

        $empty    = No empty values
        $digits    = Only numbers 0-9   */
        
    $empty[input1] = "1"// input1 value is checked is it empty
        
    $digits[input2] = "1"// input2 value is checked is it digit
        
    $digits[input3] = "1"// input3 value is checked is it digit
        
    $digits[input4] = "1"// input4 value is checked is it digit

    ?>

    <form action="update_mysql.php" method="post">
    <input type="text" name="input1" value="$_POST['input1']" />
    <input type="text" name="input2" value="$_POST['input2']" />
    <input type="text" name="input3" value="$_POST['input3']" />
    <input type="text" name="input4" value="$_POST['input4']" />
    </form>

    PHP Code:
    <?php
    // update_mysql.php

        /*
        Then I found this function ´to_entity´ what replaces characters ' " < > to entity numbers.
        I use this function ONLY when input value is invalid and send back to form.
        This function purpose is prevent html-code-brake, eg, if user have input value: ">
        I don't know does I need to convert more characters than ", ', <, > to make this function to work perfect...?
        You can't see the entity codes (in $replace array), because your web-browser probably converts the entities! To see, check page's source-code.   */


            
    function to_entity($string) {
            
    $string    stripslashes($string);

            
    $search    = array('"'"'""<"">",);
            
    $replace    = array(""", "'", "<", ">"); // ' This are Entities even You may not see it! :P

            
    return strtr($stringconvertArray($search$replace));
            }

            function 
    convertArray($search$replace) {
            
    $return = array();
                foreach (
    $search as $key=>$val) {
                
    $return[$val] = $replace[$key];
                }
            return 
    $return;
            }


        
    /*
        Then the $empty and $digits -arrays are looped trough:
        If the input value is incorrect -> run ´to_entity´ -function and send converted value back to form.
        If the input value is correct -> run ´secure´ -function and update MySql.    */


            // No empty values
            
    if (isset($empty)) {
                foreach(
    $empty as $input => $value)
                {
                    unset(
    $err);

                    if (
    $_POST[$input] == "") { $err 1; } else { $err 0; }
                }
            }


            
    // Only digits 0-9
            
    if (isset($digits)) {
                foreach(
    $digits as $input => $value)
                {
                    unset(
    $err);

                    if (
    $_POST[$input] != "" and !preg_match('/^\d+$/'$_POST[$input])) { $err 1; } else { $err 0; }

                    if (
    $err == 1) {
                    
    $_POST[$input] = to_entity($_POST[$input]);    
                    }
                }
            }



        
    /*
        If we have only corrent values (I Hope!), then we update MySql safely (I Hope!) :D   */
            
    if ($err != 1)
            {


            function 
    secure($value) {

                
    // Stripslashes
                
    if (get_magic_quotes_gpc()) {
                
    $value stripslashes($value);
                }

                
    // Quote if not a number
                
    if (!is_numeric($value)) {
                
    $value mysql_real_escape_string($value);
                }

            return 
    $value;
            }


            
    // Loop through POST variables
            
    foreach($_POST as $input => $value) {
            
    $_POST[$input] = secure($value);
            }



            
    // MySql Update
             
    mysqli_query("UPDATE mysql_table SET
              cell1 = '
    $_POST['input1']',
              cell2 = '
    $_POST['input2']',
              cell3 = '
    $_POST['input3']',
              cell4 = '
    $_POST['input4']'
              WHERE id='1';"
    ) or die (mysql_error()); 

            }


    ?>

  2. #2
    SitePoint Zealot
    Join Date
    Apr 2009
    Location
    South Florida
    Posts
    187
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would run through mysql_real_escape_string before putting any client data in a SQL statement

    mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement
    http://us2.php.net/manual/en/functio...ape-string.php

  3. #3
    SitePoint Enthusiast
    Join Date
    Jan 2007
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lphy View Post
    I would run through mysql_real_escape_string before putting any client data in a SQL statement

    mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement
    http://us2.php.net/manual/en/functio...ape-string.php
    But it does!

    In ´secure´ -function.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •