Re: Sign up form

[ddliu]

Hi Bob,

You should have some validation and cleanup on data input by user to avoid XSS Attack and SQL Injection Attack.

Below is a simple example in PHP and Mysql.

Suppose you have a html form posting following data to add_contact.php:
first_name;
last_name;
email;
address;

add_contact.php

//connect to db

$conn=mysql_connect("localhost", 'mysql_user', 'mysql_password');

mysql_select_db('mydb',$conn);



//form data

$form_data=array(

'first_name'=>$_POST,

'last_name'=>$_POST,

'email'=>$_POST,

'address'=>$_POST,

);



//trim data

$form_data=array_map('trim',$form_data);



//do simple validation

if(!$form_data || !$form_data || !$form_data || !$form_data)

{

die('Invalid data');

}



//escape before insert to db to prevent SQL Injection Attack

$form_data=array_map('mysql_real_escape_string',$form_data);



//insert to db

mysql_query("INSERT INTO contacts(first_name,last_name,email,address) VALUES ('{$form_data}','{$form_data}','{$form_data}','{$form_data}')");



//close db connection

mysql_close($conn);



//show success message

echo "Add success";

Then the list page
contact_list.php

...//init db connection



//get data

$query=mysql_query("SELECT * FROM contacts LIMIT 10");

//loop and show each entry

while($row=mysql_fetch_assoc($query))

{

//convert html chars to prevent XSS Attack

$row=array_map('html_special_chars',$row);



//convert new line to 
 to keep the layout

$row=array_map('nl2br',$row);



echo "First name:".$row."
";

echo "Last name:".$row."
";

echo "Email:".$row."
";

echo "Address:".$row."
";

echo "
";

}



mysql_close($conn);

Note that it’s just a simple example for doing that, to learn more about PHP, you can visit php website: http://www.php.net

—
dong