Could you take a look at this for me

pimptovimto

Hi folks, could you have a look at this code for me, I am looking for comment on its security from injection attacks and if there is any other way I can improve the code I would appreciate that also.

Thanks a mill

<?php require_once('Connections/dbconn.php'); require('umdums/validation.php') ?>

<?php
$isvisible = "hidden"; //set the initial value to not show division
session_start();

if (isset($_SESSION['Success']) && $_SESSION['Success'] == "YES") {

// set variable value depending on status of users status
if ($_SESSION['memPending'] == "y")
	{
	$isactive = 'disabled="disabled"' ;
	}
else
	{
	$isactive = "enabled" ;
	}
}	
else
{
//return the user to the login page
 header( "Location: http://www.mydomain.co.uk/userlogin.php" );
}

$editUpdateFormAction = $_SERVER['PHP_SELF'];
if (!isset($_SESSION)) {
  session_start();
}
//check if post has occured
if (isset($_POST['mememail'])) {

//create variables and store form post fields	
$mememail = $_POST['mememail'];
$mempassword = $_POST['mempassword'];
$memfname = $_POST['memfname'];
$memlname = $_POST['memlname'];
$memadd1 = $_POST['memadd1'];
$memadd2 = $_POST['memadd2'];
$memadd3 = $_POST['memadd3'];
$memtown = $_POST['memptown'];
$mempcode = $_POST['mempcode'];

//set array to hold validation error details
$errors = Array(); 

//pass variable values to validation script and check for errors
validateField($mememail, 'email', 'Email Address', $errors); 
validateField($mempassword, 'alphanum', 'Password', $errors); 
validateField($memfname, 'text', 'Firstname', $errors); 
validateField($memlname, 'text', 'Surname', $errors); 
validateField($memadd1, 'alphanum', 'Address line 1', $errors); 
validateField($memadd2, 'text', 'Address line 2', $errors, false); 
validateField($memadd3, 'text', 'Address line 3', $errors, false); 
validateField($memtown, 'text', 'town', $errors); 
validateField($mempcode, 'postcode', 'Postcode', $errors);

//check if validation errors have occured 
if(count($errors) > 0) 
{ 
   // handle the errors, and do not process the form any more 
	  $isvisible = "visible"; //set the value of isvisible to display div with errror fields highlighted
	  foreach ($errors as $value)
		{
			//$errorstring = $errorstring .$value['Field'];

			if ($value['Field'] == "Email Address")
				//set colour as orange
				$emailcolour = "#FF9900" ;

			if ($value['Field'] == "Password")
				//set colour as orange
				$passwordcolour = "#FF9900" ;

			if ($value['Field'] == "Firstname")
				//set colour as orange
				$fnamecolour = "#FF9900" ;

			if ($value['Field'] == "Surname")
				//set colour as orange
				$snamecolour = "#FF9900" ;

			if ($value['Field'] == "Address line 1")
				//set colour as orange
				$add1colour = "#FF9900" ;

			if ($value['Field'] == "Address line 2")
				//set colour as orange
				$add2colour = "#FF9900" ;

			if ($value['Field'] == "Address line 3")
				//set colour as orange
				$add3colour = "#FF9900" ;

			if ($value['Field'] == "town")
				//set colour as orange
				$towncolour = "#FF9900" ;

			if ($value['Field'] == "Postcode")
				//set colour as orange
				$pcodecolour = "#FF9900" ;	
		}
} 
else 
{ 
	$isvisible = "hidden"; //set the value to not show division

	//escape all the variables
	$mememail = mysql_real_escape_string($mememail);
	$mempassword = mysql_real_escape_string($mempassword);
	$memfname = mysql_real_escape_string($memfname);
	$memlname = mysql_real_escape_string($memlname);
	$memadd1 = mysql_real_escape_string($memadd1);
	$memadd2 = mysql_real_escape_string($memadd2);
	$memadd3 = mysql_real_escape_string($memadd3);
	$memtown = mysql_real_escape_string($memtown);
	$mempcode = mysql_real_escape_string($mempcode);

	// update the record in the database that relates to the session stored user database record id field

	  //create the sql query string
	  $updateSQL = "UPDATE consumers SET
	  					email = '" . $mememail . "',
						password = '" . $mempassword . "',
						fname = '" . $memfname . "',
						lname = '" . $memlname . "',
						add1 = '" . $memadd1 . "',
						add2 = '" . $memadd2 . "',
						add3 = '" . $memadd3 . "',
						town = '" . $memtown . "',
						postcode = '" . $mempcode . "'
					WHERE id = '" . $_SESSION['memIDnum'] . "'" ;
	//submit the sql query				
	  mysql_select_db($database_conn, $dbconn);
	  $Result1 = mysql_query($updateSQL, $dbconn) or die(mysql_error());

	  //set the session ariables used to dispay the field values in the update form to be the newly posted details
	  	$_SESSION['memEmail'] = $mememail;
		$_SESSION['memPassword'] = $mempassword;
		$_SESSION['memFname'] = $memfname;
		$_SESSION['memLname'] = $memlname;
		$_SESSION['memAdd1'] = $memadd1;
		$_SESSION['memAdd2'] = $memadd2;
		$_SESSION['memAdd3'] = $memadd3;
		$_SESSION['memTown'] = $memtown;
		$_SESSION['memPcode'] = $mempcode;
}

}

?>

<body>

                <form action="<?php echo $editUpdateFormAction; ?>" method="post" name="profile" class="contact" id="profile">
                  <h2 class="text3">profile <span class="style11">update</span></h2>
                  <label>email *</label>
                  <input name="mememail" type="text" id="regemail" size="20"  maxlength="50" value="<?php echo $_SESSION['memEmail'] ;?>" style="background-color:<?php echo $emailcolour ; ?>"/>
                  <label>password *</label>
                  <input name="mempassword" type="password" id="regpassword" size="20" maxlength="10" value="<?php echo $_SESSION['memPassword'] ;?>" style="background-color:<?php echo $passwordcolour ; ?>"/>
                  <label>first name *</label>
                  <input name="memfname" type="text" id="regfname" size="20" maxlength="20" value="<?php echo $_SESSION['memFname'] ;?>" style="background-color:<?php echo $fnamecolour ; ?>"/>
                  <label>last name *</label>
                  <input name="memlname" type="text" id="reglname" size="20" maxlength="20" value="<?php echo $_SESSION['memLname'] ;?>" style="background-color:<?php echo $snamecolour ; ?>"/>
                  <label>address 1 *</label>
                  <input name="memadd1" type="text" id="regadd1" size="20" maxlength="20" value="<?php echo $_SESSION['memAdd1'] ;?>" style="background-color:<?php echo $add1colour ; ?>"/>
                  <label>address 2</label>
                  <input name="memadd2" type="text" id="regadd2" size="20" maxlength="20" value="<?php echo $_SESSION['memAdd2'] ;?>" style="background-color:<?php echo $add2colour ; ?>"/>
                  <label>address 3</label>
                  <input name="memadd3" type="text" id="regadd3" size="20" maxlength="20" value="<?php echo $_SESSION['memAdd3'] ;?>" style="background-color:<?php echo $add3colour ; ?>"/>
                  <label>post town *</label>
                  <input name="memptown" type="text" id="regptown" size="20" maxlength="30" value="<?php echo $_SESSION['memTown'] ;?>" style="background-color:<?php echo $towncolour ; ?>"/>
                  <label>post code *</label>
                  <input name="mempcode" type="text" id="regpcode" size="20" maxlength="8" value="<?php echo $_SESSION['memPcode'] ;?>" style="background-color:<?php echo $pcodecolour ; ?>"/>
                  <br class="spacer" />
                  <input name="submit" type="submit" class="submit" id="submit" value="update" title="Update" />
                  <input name="reset" type="reset" class="reset" id="reset" value="reset" title="Reset" />
                  <input type="hidden" name="MM_update" value="memberupdate" />
                </form>

</body>
</html>

laserlight

Please post your well indented code in [php][/php] bbcode tags.

tm002dy

以色列和巴勒斯坦各派同意在香港六合彩时间内实施停火，开放向加沙运送物资的通道香港六合彩香港六合彩香港六合彩香港六合彩香港六合彩网站