Member Avatar for rajeesh_rsn

I had a web site ( Real Estate) and visitor can add data. But I only need to add in site only after my approval. So I make a column in database that "approved". When an user submit data then Enter the value "no" in "approved" column. When I approve the post then that will replace to "yes".

And finally The search script in my like as follows

SELECT * from table name where approved='yes';

Please let me know how much this is secure . Or there is any other secure way to do that .
Please help me
Thanks
Rajeesh

  • 4 Contributors
  • 7 Replies
  • 126 Views
  • 13 Hours Discussion Span
  • Latest Post Latest Post by Designer_101
Member Avatar for Designer_101

The security should not be judged on your query alone.
There are many ways a person can manipulate a query using form fields and even the address bar.

If you post up your code i'l have a look.

Hope this helps

Member Avatar for rajeesh_rsn

My code

$name=$_POST['name'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$comments=$_POST['comments'];
$adv=$_POST['adv'];

mysql_connect("localhost", "username","password") or die(mysql_error());
//echo "Connected to MySQL<br />";
mysql_select_db("dbname") or die(mysql_error());


$for_id = time() . rand(0,9);
$for_id1=md5($for_id);
$id=substr($for_id1,0,10);

mysql_query("INSERT INTO advertise (name,phone,email,comments,id,adv,approved) VALUES (
'$name','$phone','$email','$comments','$id','$adv','no')
") or die(mysql_error());
$notok = 'advertise_thanks.php';
header('Location: ' . $notok);

Please help
Thanks

The security should not be judged on your query alone.
There are many ways a person can manipulate a query using form fields and even the address bar.

If you post up your code i'l have a look.

Hope this helps

Member Avatar for JRSofty

Your code is absolutely not safe! Why? Because you didn't check the user input to make sure it is clean. You are setting yourself up for an SQL injection.

To help fix this at the very minimum you want to do the following before continuing with your code:

Take this part of your code and move it below the opening of the database connection:

$name=$_POST['name'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$comments=$_POST['comments'];
$adv=$_POST['adv'];

Then make this following change to the code as well

$name=mysql_real_escape_string($_POST['name']);
$phone=mysql_real_escape_string($_POST['phone']);
$email=mysql_real_escape_string($_POST['email']);
$comments=mysql_real_escape_string($_POST['comments']);
$adv=mysql_real_escape_string($_POST['adv']);

So basically your code should look like this now:

mysql_connect("localhost", "username","password") or die(mysql_error());
//echo "Connected to MySQL<br />";
mysql_select_db("dbname") or die(mysql_error());

$name=mysql_real_escape_string($_POST['name']);
$phone=mysql_real_escape_string($_POST['phone']);
$email=mysql_real_escape_string($_POST['email']);
$comments=mysql_real_escape_string($_POST['comments']);
$adv=mysql_real_escape_string($_POST['adv']);


$for_id = time() . rand(0,9);
$for_id1=md5($for_id);
$id=substr($for_id1,0,10);

mysql_query("INSERT INTO advertise (name,phone,email,comments,id,adv,approved) VALUES (
'$name','$phone','$email','$comments','$id','$adv','no')
") or die(mysql_error());
$notok = 'advertise_thanks.php';
header('Location: ' . $notok);

This way it automatically places the escape character before anything that might be used in a SQL query.

Member Avatar for rajeesh_rsn

Ok thank you for your reply.
I already disable escape character using the javascript in the form page. Is it enough ??

Please
Reply

Your code is absolutely not safe! Why? Because you didn't check the user input to make sure it is clean. You are setting yourself up for an SQL injection.

To help fix this at the very minimum you want to do the following before continuing with your code:

Take this part of your code and move it below the opening of the database connection:

$name=$_POST['name'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$comments=$_POST['comments'];
$adv=$_POST['adv'];

Then make this following change to the code as well

$name=mysql_real_escape_string($_POST['name']);
$phone=mysql_real_escape_string($_POST['phone']);
$email=mysql_real_escape_string($_POST['email']);
$comments=mysql_real_escape_string($_POST['comments']);
$adv=mysql_real_escape_string($_POST['adv']);

So basically your code should look like this now:

mysql_connect("localhost", "username","password") or die(mysql_error());
//echo "Connected to MySQL<br />";
mysql_select_db("dbname") or die(mysql_error());

$name=mysql_real_escape_string($_POST['name']);
$phone=mysql_real_escape_string($_POST['phone']);
$email=mysql_real_escape_string($_POST['email']);
$comments=mysql_real_escape_string($_POST['comments']);
$adv=mysql_real_escape_string($_POST['adv']);


$for_id = time() . rand(0,9);
$for_id1=md5($for_id);
$id=substr($for_id1,0,10);

mysql_query("INSERT INTO advertise (name,phone,email,comments,id,adv,approved) VALUES (
'$name','$phone','$email','$comments','$id','$adv','no')
") or die(mysql_error());
$notok = 'advertise_thanks.php';
header('Location: ' . $notok);

This way it automatically places the escape character before anything that might be used in a SQL query.

Member Avatar for somedude3488

NO. That is not enough. Javascript can be disabled.

Also, instead of all of that redundant code, why not use:

array_map('mysql_real_escape_string',&$_POST);
Member Avatar for rajeesh_rsn

Thanks
If you dont mind will you give me some details of
array_map('mysql_real_escape_string',&$_POST);

Please

NO. That is not enough. Javascript can be disabled.

Also, instead of all of that redundant code, why not use:

array_map('mysql_real_escape_string',&$_POST);
Member Avatar for Designer_101

They are both right. The code is very unsafe.
It would take about a second to hack through either mySQL injections or CSRF.
Daniweb gives help however i recomend you google search the two terms and learn about them.

Hope this helps

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.