This is a (very) basic PHP form for use with a database. - Not sure of all the technical stuff I probably should be adding to this post, and I am not sure that it is safe to use either. - Spent hours (literally) looking at ways of securing the form against SQL injection and have ended up with several variations in the same script for securing it against that kind of attack through the name and comment fields ...only I have been completely unable to actually verify that any of the protection methods work; although the code on the email side of things does seem to be sound.
I am hoping that someone who better understands those parts than me might be able to contribute something and that, between us, we might end up with a script that is clean and safe to use. :icon_cheesygrin:
<?php
include '/var/wetsocks.php';
//connect to the database
$access = mysql_pconnect("$s","$u","$p");
if (!$access) {
die('Could not connect: ' . mysql_error());
} // End of if statement.
mysql_select_db("$d") or trigger_error('Query failed: ' . mysql_error($db), E_USER_ERROR);
$name = $_POST['name'];
$comment = $_POST['comment'];
$email = $_POST['email'];
function emailcheck($field) {
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
if(filter_var($field, FILTER_VALIDATE_EMAIL)) {
return TRUE;
} else {
return FALSE;
} // End of if statement.
} // End of function.
$name = $_POST['name'];
$comment = $_POST['comment'];
$email = $_POST['email'];
if (isset($_POST['email'])) {
$mailcheck = emailcheck($_POST['email']);
if (($mailcheck==FALSE) || (empty($_POST['name'])) || (empty($_POST['comment'])) || (empty($_POST['email']))) {
print 'Not Likely!';
die();
} // End of if statement.
} // End of if statement.
if (isset($_POST['name'])) {
filter_var($_POST['name'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);
trim($_POST['name']);
stripslashes($_POST['name']);
htmlspecialchars($_POST['name']);
mysql_real_escape_string($_POST['name']);
} // End of if statement.
if (isset($_POST['comment'])) {
filter_var($_POST['comment'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);
trim($_POST['comment']);
stripslashes($_POST['comment']);
htmlspecialchars($_POST['comment']);
mysql_real_escape_string($_POST['comment']);
} // End of if statement.
$sql="INSERT INTO custom_feedback (name,comment,email) VALUES ('$_POST[name]','$_POST[comment]','$_POST[email]')";
print 'Record Added!';
if (!mysql_query($sql,$access)) {
die('Error: ' . mysql_error());
} // End of if statement.
?>