Database forms- How to protect with magic quotes

Question

SphirosOkelli 0 Newbie Poster

11 Years Ago

I am learning php, and am developing an address book on my website that will put info into a data base I am storing on my vps. However, I am struggling to understand the use of magic quotes as a security measure and wondered if anyone had a good suggestion for a clear consisce tutorial on this?

I have included the forms I am using to submit the info as well that the section I am using to send it to my database. I suspect that making the changes I need is simpler than it appears in the current tutorial I am using... I have my form split into two pages. Please understand, I'm not asking anyone to fix the code so that is has the magic quotes safety on it- I'm asking for information on how to learn to do it myself. If however you would enjoy filling in my missing pieces please feel free to show me!

Thanl you guys!

//This is the form I currently have to submit the information. It gets transfered to another page that then submits it to the database.

<form action="insert.php" method="post">
First Name: <input type="text" name="FirstName">
Last Name: <input type="text" name="LastName">
<br>
Email Address: <input type="text" name="EmailAddress">
<br>
<input type="submit">
</form>

//This is what I am using to submit the date to the database.

$db_handle = mysql_connect($server, $user_name, $password);

$db_found = mysql_select_db($database, $db_handle);

if ($db_found) {

$sql="INSERT INTO contacts
VALUES
('$_POST[FirstName]','$_POST[LastName]','$_POST[EmailAddress]','$_POST[PhoneNumber]')";

if (!mysql_query($sql,$db_handle))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";


mysql_close( $db_handle );

}
else {

print "Database NOT Found " . $db_handle;
mysql_close($db_handle);

}

php

5 Contributors
6 Replies
210 Views
1 Week Discussion Span
Latest Post 11 Years Ago Latest Post by Zagga

Octet 45 Newbie Poster

11 Years Ago

As veedeoo has said, magic_quotes has been depreciated.

What I suggest you look into is something called MySQLi, where the 'i' stands for Improved. This is the newest version of MySQL and has many additional security benefits, within MySQLi you have something called 'Prepared Statements' whic allows you to add your User Input seperately.

This has benefits over magic_quotes which aren't that efficient and you have many issues with character encoding. Prepared Statements process input seperately and as text so that there is 'virtually no way' for you to have an SQL injection attack.

diafol

11 Years Ago

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

So, that could avoid a lot of nonsense for you. As mentioned, use a parameterized query, using PDO or mysqli_*. Avoid mysql_* because:

This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used.

Edited 11 Years Ago by diafol

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

veedeoo 474 Junior Poster Featured Poster · Answer 1 · 2013-01-31T20:59:01+00:00

Hi,

If your VPS have the latest PHP version on it, this is probably not necessary. Learning it to go backwards is not a good idea, because magic_quotes has been deprecated..

SphirosOkelli 0 Newbie Poster · Answer 2 · 2013-01-31T21:23:20+00:00

Sweet! I am pretty sure the VPS had PHP5 installed, but I'll double check. And I'll look into the prepared statements. Thanks you guys!

SphirosOkelli 0 Newbie Poster · Answer 3 · 2013-02-06T19:51:24+00:00

So I have done some research on the prepared statements, I have used them to connect successfully to my databse and access information currently saved there. However I am having difficulty putting information into my database view my text form. My assumption is that my POST statements are not working. So far all the tutorials I have found only show you how to hard code information into the database which I dont want to do.

//This is the form I am using- its the same one that I was using before:

<form action="insert.php" method="post">
First Name: <input type="text" name="FirstName">
Last Name: <input type="text" name="LastName">
<br>
Email Address: <input type="text" name="EmailAddress">
<br>
<input type="submit">
</form>

//This is the new insertion section. I have evidence of an actual connection. But the form data does not show up in the database.

try {
    $dbh = new PDO("mysql:host=$hostname;dbname=sphiros_address", $username, $password);
    /*** echo a message saying we have connected ***/
    echo 'Connected to database';

    $sql = "SELECT * FROM contacts";
    foreach ($dbh->query($sql) as $row)
        {
        print $row['First Name'] .' - '. $row['Last Name'] . '<br />';
        }
 /*** INSERT data  this is the part that isnt working for me ***/
    $count = $dbh->exec("INSERT INTO contacts(First Name, Last Name, Email Address) VALUES ('$_POST[FirstName]','$_POST[LastName]','$_POST[EmailAddress]')");

    /*** echo the number of affected rows ***/
    echo $count;


    /*** close the database connection ***/
    $dbh = null;
   }
catch(PDOException $e)
    {
    echo $e->getMessage();
    }
?>

Zagga · Answer 4 · 2013-02-07T23:36:25+00:00

Hi,

I'm not familiar with PDO but the syntax you are using to collect the $_POST variables doesn't look right, as you suspected (note the single quotes around the variable name).

Try collecting the POST variables outside of the query.
Change

$count = $dbh->exec("INSERT INTO contacts(First Name, Last Name, Email Address) VALUES ('$_POST[FirstName]','$_POST[LastName]','$_POST[EmailAddress]')");

to

$firstname = $_POST['FirstName'];
$lastname = $_POST['LastName'];
$emailaddress = $_POST['EmailAddress'];
$count = $dbh->exec("INSERT INTO contacts(First Name, Last Name, Email Address) VALUES ('$firstname','$lastname','$emailaddress')");

and see how you get along.