hi, i'm new here and i'm pretty new to php, but basically i've been trying to sort this out all day - i'm making a guestbook script but i cant seem to get the security right.
this is my code -

<?php

$self = $_SERVER ['PHP_SELF'];
$name = $_POST['name'];
$email = $_POST['email'];
$comments = $_POST['comments'];
$submit = $_POST['submit'];

#the html form
$form = "<form action\"$self\" method=\"post\" name=\"form\" onSubmit=\"return Check()\">";
$form.= "<input type=\"text\" value=\"Name\" name=\"name\" class=\"formbutton2\" ";
$form.= "size=\"50\" value=\"$name\"> <br>";
$form.= "<input type=\"text\" value=\"Website Address (without http://)\" name=\"email\" class=\"formbutton2\" ";
$form.= "size=\"50\" value=\"$email\"> <br>";
$form.= "<span class=\"content\">Comments:</span><br>";
$form.= "<textarea name=\"comments\" class=\"formbutton3\" ";
$form.= "rows=\"4\">$comments</textarea> <br>";
$form.= "<input type=\"submit\" name=\"submit\" class=\"formbutton\" ";
$form.= "value=\"Sign\"></form>";



#on first opening display the form
if ( !$submit) { $msg = $form; }

#or redisplay a message and the form if incomplete
else if ( !$name or !$email or !$comments)
{ $msg = "<b>Please complete all fields</b><br><br>";
$msg.= $form; }

#or add the form data to the guestbook database table
else #otherwise connect to mysql
{ $conn = @mysql_connect( "host.com", "database", "password" )
or die( "could not connect" );

$rs = @mysql_select_db( "database", $conn )
or die ( "could not select database" );

if( $name and $comments )
{
$sql ="insert into guestbook (name, email, comments)
values(\"$name\", \"$email\", \"$comments\")";
$rs = @mysql_query( $sql, $conn )
or die ( "could not execute sql query" ); }

if($rs)
{ $msg = "<h3>Thank you, your entry has been saved.";
$msg.= "<br><a href=\"view.php\">";
$msg.= "View guestbook</a></h3>"; }
}

echo( $msg );
?>

could somebody please show me how to make it secure from people trying to post malicious code on it? it'd be a massive help to me,
Solidgold

    Do you get any errors? If so, let us know exactly what they say. If not, make sure errors are being displayed:

    <?php
ini_set('display_errors', 1);
error_reporting(E_ALL);

    Also, for now you should get rid of the "@" characters which are suppressing PHP warnings/notices. (You can put them back later if you think you really need them.)

      For one thing, you don't do any data verification!! Rule #1 is to limit what your users can give you. You should be expecting a certain format to the inputs (like a name is like 3 to 8 characters, and usually a space with more letters, but no numbers or underscores or other "characters").

      Also, you don't escape any items. If a user came along and wanted to, right now could just input this in the "comments" field:

      "; SHOW OPEN TABLES;

      and they'd be given a view of what tables you have open at that point in time, which typically would be a "users" table and the comments table. With that knowledge, they can run further queries like DESCRIBE tablename or TRUNCATE table or whatever.

      I suggest you purchase the book "Essential PHP Security" by Chris Shiflett. It really can teach you a lot about security. To fix the sql insert stuff, make sure you escape all your SQL input items with [man]mysql_real_escape_string/man, or you type-cast your integers like so:

      $integer = (int)$_POST['integer_field_name'];
        Write a Reply...