Re: newbie question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 15 Nov 2004 10:26:43 -0800, Max Krone <scoobylee@xxxxxxxxx> wrote:
> When I try to submit, I get no error messages, but no data goes into
> the MySQL table. I have verified that my MySQL User and Password are
> correct and I believe I am actually connecting to the database.
> 
> Please look at what I have created and tell me what I am doing wrong,
> what I can do better, why I am an idiot, et .al.
> 
> <?php
> if ($_POST[FirstName] == "") {
>         $display_block = "<h1>Add an Entry</h1>
>         <form method=\"post\" action=\"$_SERVER[PHP_SELF]\">
>         <P><strong>First/Last Names:</strong><br>
>         <input type=\"text\" name=\"FirstName\" size=30 maxlength=75
>         <input type=\"text\" name=\"LastName\" size=30 maxlength=75

It's trivial for a malicious attacker to bypass your maxlength, just
an FYI.  You should check with strlen() after the post, or possibly
look into javascript form validation.

>         <P><strong>Address:</strong><br>
>         <input type=\"text\" name=\"Address\" size=30>
> 
>         <P><strong>City/State/Zip</strong><br>
>         <input type=\"text\" name=\"City\" size=30 maxlength=50>
>         <input type=\"text\" name=\"State\" size=5 maxlength=2>
>         <input type=\"text\" name=\"Zip\" size=10 maxlength=10>
> 
>         <P><strong>Telephone Number:</strong><br>
>         <input type=\"text\" name=\"phone\" size=30 maxlength=25>
> 
>         <P><strong>Email Address:</strong><br>
>         <input type=\"text\" name=\"email\" size=30 maxlength=150>
> 
>         <P><input type=\"submit\" name=\"submit\" value=\"Add Entry\"></p>
>         </FORM>";
> 
> } else if ($_POST[FirstName] != "") {
>         //time to add to tables, so check for required fields
>         if (($_POST[FirstName] == "") || ($_POST[LastName] == "") ||
> ($_POST[city] == "") ||
>           ($_POST[State] == "") || ($_POST[Zip] == "") || ($_POST[phone] == "") ||
>           ($_POST[email] == "")) {
>                 header("Location: addentry.php");
>                 exit;
>         }
> 
>         //connect to database
>         $conn = mysql_connect("localhost", "user", "password")
>           or die("Failure to attach to database");
>         mysql_select_db("database", $conn) or die("Failure to attach to database");
> 
>         //add to first and last name
>         $add_table = "INSERT into table values (NULL, '$_POST[FirstName]',
>                 '$_POST[LastName], '$_POST[Address], '$_POST[City], '$_POST[State],
>                 '$_POST[Zip], '$_POST[phone],'$_POST[email])";

You're missing the closing single quote on most all the $_POST variables.

>         mysql_query($add_table) or die(mysql_error());

How about:

or die(mysql_error() . ' query was: ' . $add_table)

so you can see your query as it goes to the database.

> 
> }
> ?>
> <HTML>
> <HEAD>
> <TITLE>Add an Entry</TITLE>
> </HEAD>
> <BODY>
> <?php echo $display_block; ?>
> </BODY>
> </HTML>

Also, your code is subject to SQL injection.  You might want to
investigate PHP's addslashes() function.  And maybe read this too:

http://shiflett.org/php-security.pdf


-- 
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux