Home › Forums › Back End › Sign up form › Re: Sign up form
May 25, 2011 at 7:37 am
#75321
ddliu
Member
Hi Bob,
You should have some validation and cleanup on data input by user to avoid XSS Attack and SQL Injection Attack.
Below is a simple example in PHP and Mysql.
Suppose you have a html form posting following data to add_contact.php:
first_name;
last_name;
email;
address;
add_contact.php
//connect to db
$conn=mysql_connect("localhost", 'mysql_user', 'mysql_password');
mysql_select_db('mydb',$conn);
//form data
$form_data=array(
'first_name'=>$_POST,
'last_name'=>$_POST,
'email'=>$_POST,
'address'=>$_POST,
);
//trim data
$form_data=array_map('trim',$form_data);
//do simple validation
if(!$form_data || !$form_data || !$form_data || !$form_data)
{
die('Invalid data');
}
//escape before insert to db to prevent SQL Injection Attack
$form_data=array_map('mysql_real_escape_string',$form_data);
//insert to db
mysql_query("INSERT INTO contacts(first_name,last_name,email,address) VALUES ('{$form_data}','{$form_data}','{$form_data}','{$form_data}')");
//close db connection
mysql_close($conn);
//show success message
echo "Add success";
Then the list page
contact_list.php
...//init db connection
//get data
$query=mysql_query("SELECT * FROM contacts LIMIT 10");
//loop and show each entry
while($row=mysql_fetch_assoc($query))
{
//convert html chars to prevent XSS Attack
$row=array_map('html_special_chars',$row);
//convert new line to
to keep the layout
$row=array_map('nl2br',$row);
echo "First name:".$row."
";
echo "Last name:".$row."
";
echo "Email:".$row."
";
echo "Address:".$row."
";
echo "
";
}
mysql_close($conn);
Note that it’s just a simple example for doing that, to learn more about PHP, you can visit php website: http://www.php.net
—
dong