Safe update of database

PHP
1

I put together a two stage form for a site the other week which takes 2 sets of information, the first form takes the first name, second name and email using an insert into the db followed by a second form which takes company, phone, postion and country which updates the db by unique id. Was working fine for about a week then sudenly one day it wipes all the second stage fields in the db. Luckily I had the db backed up, but needed a script that was more robust to prevent this in future. I’ve put something together today which seems to work, but just wanted to check this script was completely safe to implement and wouldn’t be in any danger of half the db being wiped if I did.

First half of form, takes first name, second name, email, with hidden fields source, date and unique id, on submit runs following process file which inserts these values into the db and creates cookies for first, second names, email and unique id…

insert.php


 <?php 
session_start(); 

$_SESSION['first']=$_POST['first_name'];
$_SESSION['unique']=$_POST['unique_id']; 
$_SESSION['second']=$_POST['last_name'];
$_SESSION['em']=$_POST['email']; 

$source=$_POST['sour']; 
$date=$_POST['date']; 
$firstname=$_POST['first_name'];
$lastname=$_POST['last_name'];
$email=$_POST['email']; 
 
$unique=$_POST['unique_id']; 

mysql_connect("*****", "*****", "*****") or die(mysql_error());
mysql_select_db("cust") or die(mysql_error());

mysql_query("INSERT INTO details (firstname, lastname, email, source, date, unique_id) VALUES ('$firstname', '$lastname', '$email', '$source', '$date', '$unique') ") 
or die(mysql_error());  

?>
<?

  exit;

?>

On exit, second form appears in an iframe using ajax, takes values from cookies and puts in hidden field, on submit it runs the following process file which does a select on the id field (which auto-increments) based on first name, second name, email, unique id and todays date, and runs the update of the second stage fields on that id. Is this a safe approach for an update?

update.php

 <?php 
session_start(); 

   $firstname   = $_GET['first_name'];
   $lastname   = $_GET['last_name'];
   $company   = $_GET['company'];
   $position   = $_GET['position'];
   $code = $_GET['code'];
   $digits = $_GET['digits'];
   $email   = $_GET['email']; 
   $country   = $_GET['country'];
   $keyword   = $_GET['keyword'];
   $type   = $_GET['type'];
   $source = $_GET['sour'];
   $date = date("d/m/Y");
   $date1= $_GET['date'];
   $unique= $_GET['unique_id'];




mysql_connect("*****", "*****", "*****") or die(mysql_error());
mysql_select_db("cust") or die(mysql_error());



		$test = mysql_query("SELECT id FROM details WHERE firstname='$firstname' AND lastname='$lastname' AND email='$email' AND unique_id='$unique' AND date='$date' LIMIT 1")
		or die(mysql_error());
		$row = mysql_fetch_array( $test );
		$_SESSION['id'] = $row['id']; 
		$_SESSION['genuine'] = "yes";

if ($_SESSION['genuine'] !== 'yes') {
echo '<font face="arial" color="#99cc00"><strong>There seems to be an error sending the message<br />Please Try Again.</strong></font>';
}
else {

$query="UPDATE details SET company='$company', phone='$digits', country='$country', position='$position' WHERE id = '".$_SESSION['id']."'"; 

mysql_query($query) or die(mysql_error());
	

}

?>
2

I’m very new to php myself, but i notice that you havent sanitised your user input, I think these is leaving you wide open to a SQl injecrtion attack ( possibly how some of your data was deleted)

I would at least use mysqli_real_escape_string() to prevent this kinda attack. I always use this for ANY data that is goign to be put input a SQL statment.

Hope that helps