Hi everybody,
I would insert in my internet file a little form to get some e-mail addresses to send a newsletter, with a PHP script.
Do you think someone could Threaten in some way my database?
If yes, could you please tell me how should I prevent it?
Thanks in advance
Ciao
Alex
You want to collect email addresses so that you can send a newsletter?
There is no security risk there unless you make the PHP script in a bad way which could ultimately mean there could be risks here or there.
You should rather first make it all and then get us to check it afterwards for any problems.
Hi smftre,
thanks for the message.
this is the code I wish to insert in all the pages:
$dbcnx = @mysql_connect(‘server’, ‘user’, ‘password’);
if (!$dbcnx) {
exit('<p>Unable to connect to the ’ .
‘database server at this time.</p>’);
}
if (!@mysql_select_db(‘m5761d1’)) {
exit('<p>Unable to locate the newsletter ’ .
‘database at this time.</p>’);
}
$name = $_POST[‘name’];
$email = $_POST[‘email’];
$sql = “INSERT INTO user SET
name=‘$name’,
email=‘$email’”;
if (@mysql_query($sql)) {
echo ‘<p>Newsletter sottoscritta</p>’;
} else {
echo '<p>Error adding new user: ’ .
mysql_error() . ‘</p>’;
}
?>
Let me know if it should be dangerous.
Thank you again
Alex
If the name is “O’Reilly” then your queries will break. This also opens up an injection vulnerability. You need to escape all strings going into the query with mysql_real_escape_string(), and also cast integers, eg (int) $_POST[‘age’] makes sure that age will be an integer.
You might also want to check to see whether email is actually a valid email address. This can be done with regex (google), or PHP’s built in filter_var
As hash said…
oK! Thanks hash! Unluky my PHP’s knoledge is really poor. Could you please add to my script what it need to became secure? Or better could you indicate me where I should find a script like this?
You might also want to check to see whether email is actually a valid email address. This can be done with regex (google), or PHP’s built in filter_var
I already thinked about that but, as explained above, I need a help also for this kind of script.
THanks again for any help.
Ciao
Alex
I can give you the page that explains and provides examples for real_escape. I already suggested ways to filter email, if you can’t manage this yourself then you should look at hiring someone.
In other words: no I won’t write your code for you.
I hope that doesn’t ruin our friendship though, perhaps you might like to come over tomorrow and paint my roof … I’m unsure what paint is best to use.
if you can’t manage this yourself then you should look at hiring someone.
Ok!! message received! But hiring someone goes against my self-esteem and also against my wallet! He! he!
I hope that doesn’t ruin our friendship though, perhaps you might like to come over tomorrow and paint my roof …
No ruined friendship and consequently no roof painted.
I’ll try to manage it alone…
Ciao
Alex