New Topic/Question
Reply
Hi guys, need a little help revamping my website. It's for a friend's band and currently when they had new gig dates they tell me and I update the Gigs page via FTP, adding new gigs in an unordered list.
What I would like is to create a form which, when submitted, adds gig information to a database. However this form obviously needs to be secured so only authorised submissions are allowed.
Could someone please point me in the direction of code to secure a form. I also need help coding the form to submit the data to an SQL table.
9 Replies - 253 Views - Last Post: 01 February 2012 - 12:25 PM
Rate Topic:
Topic Sponsor:
MultiQuoteReplies To: Log-in authenticated form
#2
CTphpnwb
- D.I.C Lover
-
Reputation: 1942
- Posts: 7,296
- Joined: 08-August 08
Re: Log-in authenticated form
Posted 01 February 2012 - 08:06 AM
Read through the tutorials section. Look for PDO (prepared statements), functions, and it wouldn't hurt to check out the HTML tutorials too.
When you've got some code written post it along with a description of your issue(s) and what you've tried to fix them.
When you've got some code written post it along with a description of your issue(s) and what you've tried to fix them.
Was This Post Helpful?
0
#3
Euskadi
- New D.I.C Head
Reputation: -4
- Posts: 14
- Joined: 01-February 12
Re: Log-in authenticated form
Posted 01 February 2012 - 08:41 AM
I've made the HTML form and I've managed to code the PHP needed to insert the data into the SQL db. It works, although I'm sure I can improve on it:
Please let me know what improvements can be made to that. I'm sure the gigDate thing could be done better, the reason it is hacked together like that is because my HTML form takes a date using a javascrit calendar which puts the date into 3 small textboxes (day, month, year).
<?
//-- Connect to database
$user="xxxxxxxx";
$password="xxxxxxxxx";
$database="xxxxxxxxx";
mysql_connect('xxxxxxxx',$user,$password);
@mysql_select_db($database) or die( "Unable to select database");
//--Build query
//Build date
$gigDate = $_POST["gigYear"]."-".$_POST["gigMonth"]."-".$_POST["gigDay"];
$gigLocation = $_POST["giglocation"];
$gigCountry = $_POST["gigcountry"];
$gigInfo = $_POST["giginfo"];
$timeAdded = date("y-m-d");
//-- Insert info
$query = "INSERT INTO gigs VALUES ('','$gigLocation','$gigCountry','$gigDate','$gigInfo','$timeAdded')";
//-- Run query
mysql_query($query);
mysql_close();
?>
Please let me know what improvements can be made to that. I'm sure the gigDate thing could be done better, the reason it is hacked together like that is because my HTML form takes a date using a javascrit calendar which puts the date into 3 small textboxes (day, month, year).
Was This Post Helpful?
0
#4
CTphpnwb
- D.I.C Lover
-
Reputation: 1942
- Posts: 7,296
- Joined: 08-August 08
Re: Log-in authenticated form
Posted 01 February 2012 - 09:07 AM
Your current code is begging to be hacked. Read up on prepared statements. Here's a good PDO tutorial you should read.
I'd create a function to validate inputs. It could return true if all inputs are valid and false along with outputting errors if they aren't. You could run the query only if it returns true.
I'd create a function to validate inputs. It could return true if all inputs are valid and false along with outputting errors if they aren't. You could run the query only if it returns true.
Was This Post Helpful?
0
#5
Euskadi
- New D.I.C Head
Reputation: -4
- Posts: 14
- Joined: 01-February 12
Re: Log-in authenticated form
Posted 01 February 2012 - 09:11 AM
CTphpnwb, on 01 February 2012 - 09:07 AM, said:
Your current code is begging to be hacked. Read up on prepared statements. Here's a good PDO tutorial you should read.
I'd create a function to validate inputs. It could return true if all inputs are valid and false along with outputting errors if they aren't. You could run the query only if it returns true.
I'd create a function to validate inputs. It could return true if all inputs are valid and false along with outputting errors if they aren't. You could run the query only if it returns true.
Well I want to password-protect the page with the form, so as long as only specified people can access it, there isn't a danger of hacking.
Was This Post Helpful?
0
#7
Euskadi
- New D.I.C Head
Reputation: -4
- Posts: 14
- Joined: 01-February 12
Re: Log-in authenticated form
Posted 01 February 2012 - 09:30 AM
CTphpnwb, on 01 February 2012 - 09:15 AM, said:
Really? And you're sure that password is secure? It uses prepared statements? No one will ever get or guess some one else's password?
It's not a realistic threat really. Someone finding a band's website, finding the log-in section (which will not be listed), guessing a username as well as a password and then accessing a form. It is something I will look into afterwards, purely out of curiosity and a desire to learn it, but right now I'd just like to get it functional.
What I would like to know however, is how to make sure the form can handle apostrophes as well as symbols such as € and £
thanks
Was This Post Helpful?
0
#8
CTphpnwb
- D.I.C Lover
-
Reputation: 1942
- Posts: 7,296
- Joined: 08-August 08
Re: Log-in authenticated form
Posted 01 February 2012 - 09:54 AM
Euskadi, on 01 February 2012 - 12:30 PM, said:
It is something I will look into afterwards, purely out of curiosity and a desire to learn it, but right now I'd just like to get it functional.
That's exactly how sites end up getting hacked. It's also how code ends up being difficult to read and manage. Get it right early or later you'll wish you had.
Euskadi, on 01 February 2012 - 12:30 PM, said:
What I would like to know however, is how to make sure the form can handle apostrophes as well as symbols such as € and £
The same way you prevent hacking: prepared statements.
Was This Post Helpful?
0
Page 1 of 1
|
|
| 