form to mySQL via php (open sauce?)

tbwcf

Active Member
Afternoon all...

I have a project which includes a web form that needs to write back to a mySQL DB. I'm generally a front end man but have an understanding of the rest of it...

I know how to write a basic php form to a DB but don't think its secure as the process.php would have the database info etc...

Does anyone know some sort of open source solution to this?

or what I need to do to make my form secure (hide DB info etc??)

Thanks

Andy
 
i'll check my PHP book when I get home mate :) I think i've got just the thing :)
 
sorry, i have no idea what it involves, but the "open sauce" made me laugh :D
 
no worries mate.. sorry I didn't manage to find the bit I was looking for in the PHP cookbook last night :( I hope that at least points you vaguely in the right direction :)
 
To be honest mate.. I usually use the Wordpress secure email form function (which encrypts all forms and locks the database from access if that makes sense).

Sorry I couldn't be more help :(
 
chrismitchell said:
Hi mate... this was one that I just found now... don't know if it helps.. just going through the PHP cookbook :D

Stephen (Steve) Withington: Yes, Using CFQueryParam <em>Can</em> Protect Your Database From SQL Injection (Even With Strings!)


The above link is ColdFusion not PHP.

I am not quite sure what you are asking...

process.php is a php file so unless you specifically write the database info to the output stream (html page) with "echo" or "print" then there is no way people can see this.

When you ask a server for a php file, it is processed as a PHP script. Its not like HTML where the source is the actual browser code. With php you run your script server side and only return to the browser what you want it to see (typically html, javascript, css etc)

So you can easily POST your form to your PHP page and do all your funcctionality (write to DB etc) without having to worry about anyone seeing it.

If you need advice in other areas, secure forms, encrypted data, validation etc let me know. I have a whole library i wrote of open source classes for all kinds of functionality.

I work freelance in web development and still do a lot of php/mySQL but my main job is bigger sites (Java based).
 
Hi Darren, thanks!

I think that makes sense, I don't know why I didn't get it before, so I set the process.php permission so it is not viewable? but it will still work as its only really the server accessing it? and such then although the db username/password are included no one can see them?

I'd still need to prevent form injection etc to protect it all which I don't think I'm upto yet...

For this project I had to move on fast so have another solution now - but thanks for your time!
 
Not quite.

You dont have to set the file persmissions at all.. basically what happens is this..

The extension ".php" is registered with the webserver Apache(Linux) or IIS (Windows) as a php script and attached to the php program (php.exe and all extension libraries) that is installed on that webserver. So.. when you call a page such as this...

http://mydomain.com/mypage.php

the webserver sends the mypage.php to be processed by php.exe (the program) and then sends the result to the browser...

so for example, imagine you have a page like this..
<?php
$mySecretPassword = "foobar";

print("Hello World!");
?>

when it is called through the browser it will be "parsed" by php.exe and the result will be sent on the output stream..

The only thing that the browser will recieve is the text

Hello World!

obviously it should be passed some HTML as well.

So... to further this..

if you have a page like this...

<html>
<head>
..stuff
</head>
<body>
Hello and welcome to my site... The date today is <?php print(date("d/m/Y", time())); ?>
</body>
</html>

Anything inside the <?php ?> tags will be parsed and the rest will be ignored. What would come back from php.exe and be sent to the browser is this...

<html>
<head>
..stuff
</head>
<body>
Hello and welcome to my site... The date today is 14/05/2009
</body>
</html>

everything is parsed server-side when a file with the extension .php is called. So there is no risk of anyone viewing your source code that way.

File permissions are entirely different.
 
Back
Top