Member Offer
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

form to mySQL via php (open sauce?)

Discussion in 'Website Design Forum:' started by tbwcf, May 6, 2009.

  1. tbwcf

    tbwcf Active Member

    Afternoon all...

    I have a project which includes a web form that needs to write back to a mySQL DB. I'm generally a front end man but have an understanding of the rest of it...

    I know how to write a basic php form to a DB but don't think its secure as the process.php would have the database info etc...

    Does anyone know some sort of open source solution to this?

    or what I need to do to make my form secure (hide DB info etc??)


  2. i'll check my PHP book when I get home mate :) I think i've got just the thing :)
  3. tim

    tim Senior Member

    sorry, i have no idea what it involves, but the "open sauce" made me laugh :D
  4. tbwcf

    tbwcf Active Member

    Thank Chris I appreciate it!

    @Tim - gotta love the old sauce mate
  5. tbwcf

    tbwcf Active Member

    Thanks Chris - I'll check it out!
  6. no worries mate.. sorry I didn't manage to find the bit I was looking for in the PHP cookbook last night :( I hope that at least points you vaguely in the right direction :)
  7. tbwcf

    tbwcf Active Member

  8. To be honest mate.. I usually use the Wordpress secure email form function (which encrypts all forms and locks the database from access if that makes sense).

    Sorry I couldn't be more help :(
  9. darren

    darren Member

    The above link is ColdFusion not PHP.

    I am not quite sure what you are asking...

    process.php is a php file so unless you specifically write the database info to the output stream (html page) with "echo" or "print" then there is no way people can see this.

    When you ask a server for a php file, it is processed as a PHP script. Its not like HTML where the source is the actual browser code. With php you run your script server side and only return to the browser what you want it to see (typically html, javascript, css etc)

    So you can easily POST your form to your PHP page and do all your funcctionality (write to DB etc) without having to worry about anyone seeing it.

    If you need advice in other areas, secure forms, encrypted data, validation etc let me know. I have a whole library i wrote of open source classes for all kinds of functionality.

    I work freelance in web development and still do a lot of php/mySQL but my main job is bigger sites (Java based).
  10. tbwcf

    tbwcf Active Member

    Hi Darren, thanks!

    I think that makes sense, I don't know why I didn't get it before, so I set the process.php permission so it is not viewable? but it will still work as its only really the server accessing it? and such then although the db username/password are included no one can see them?

    I'd still need to prevent form injection etc to protect it all which I don't think I'm upto yet...

    For this project I had to move on fast so have another solution now - but thanks for your time!
  11. darren

    darren Member

    Not quite.

    You dont have to set the file persmissions at all.. basically what happens is this..

    The extension ".php" is registered with the webserver Apache(Linux) or IIS (Windows) as a php script and attached to the php program (php.exe and all extension libraries) that is installed on that webserver. So.. when you call a page such as this...

    the webserver sends the mypage.php to be processed by php.exe (the program) and then sends the result to the browser...

    so for example, imagine you have a page like this..
    when it is called through the browser it will be "parsed" by php.exe and the result will be sent on the output stream..

    The only thing that the browser will recieve is the text

    obviously it should be passed some HTML as well.

    So... to further this..

    if you have a page like this...

    Anything inside the <?php ?> tags will be parsed and the rest will be ignored. What would come back from php.exe and be sent to the browser is this...

    everything is parsed server-side when a file with the extension .php is called. So there is no risk of anyone viewing your source code that way.

    File permissions are entirely different.
  12. tbwcf

    tbwcf Active Member

    Ok, Thanks Darren! I think I've got it....

Share This Page