So I've been trying to take some steps to securing code i use in projects, this is just an example of it done dirty and quickly but the format for the php is the same. Does any one have any tips or ideas to optimize this?
<?php
//Connect to DB
$db = mysql_connect("localhost", "blah", "blah") or die("Could not connect.");
if(!$db)
die("no db");
if(!mysql_select_db("blah",$db))
die("No database selected.");
//Functions
function clean($Text){
$Text = strip_tags($Text);
$Text = str_replace("&","&", $Text);
$Text = str_replace("<","<", $Text);
$Text = str_replace(">",">", $Text);
$Text = trim($Text);
$Text = mysql_real_escape_string($Text);
return $Text;
}
//Variables
$section = $_GET['section'];
$section = clean($section);
$input = $_POST['text'];
$input = clean($input);
//show subpage
if (isset($section) && $section == '1') {
//If input then
if ($input) {
//Add data to db
$add = mysql_query( "INSERT INTO `test` (`testing`,`subsection`) VALUES ('$input','$section') ");
// echos the input
echo" ".$input." ".$section." ";
}
}
else{
echo"
<form method=\"post\" action=\"?section=1\" enctype=\"multipart/form-data\">
<input type=\"text\" name=\"text\" class=\"form\">
<input name=\"submit\" type=\"submit\" value=\"Sumbit\" class=\"form\"><input type=\"reset\" value=\"Clear\" class=\"form\">
</form>
";
}
?>
Question
Curve
So I've been trying to take some steps to securing code i use in projects, this is just an example of it done dirty and quickly but the format for the php is the same. Does any one have any tips or ideas to optimize this?
<?php //Connect to DB $db = mysql_connect("localhost", "blah", "blah") or die("Could not connect."); if(!$db) die("no db"); if(!mysql_select_db("blah",$db)) die("No database selected."); //Functions function clean($Text){ $Text = strip_tags($Text); $Text = str_replace("&","&", $Text); $Text = str_replace("<","<", $Text); $Text = str_replace(">",">", $Text); $Text = trim($Text); $Text = mysql_real_escape_string($Text); return $Text; } //Variables $section = $_GET['section']; $section = clean($section); $input = $_POST['text']; $input = clean($input); //show subpage if (isset($section) && $section == '1') { //If input then if ($input) { //Add data to db $add = mysql_query( "INSERT INTO `test` (`testing`,`subsection`) VALUES ('$input','$section') "); // echos the input echo" ".$input." ".$section." "; } } else{ echo" <form method=\"post\" action=\"?section=1\" enctype=\"multipart/form-data\"> <input type=\"text\" name=\"text\" class=\"form\"> <input name=\"submit\" type=\"submit\" value=\"Sumbit\" class=\"form\"><input type=\"reset\" value=\"Clear\" class=\"form\"> </form> "; } ?>Link to comment
Share on other sites
15 answers to this question
Recommended Posts