PHP :: Database Insert Security

CMS Database Security
I'm creating a CMS, however, there is one thing I need help with. I have been looking up information on Security with PHP, because the site I'm making the CMS for is very large, and chances of something happening are very high. However, there are sessions, cookies, and other things but which is best/more secure.

Cookies? Sessions? And should I have a var with an encrpyt password and use the crypt function to get the password I typed in the form and encrpyt that, to match the var with the encrpyted password.

Database Security
I originally only gave Select and Insert rights to the 'cart' user. As my application developed I realised I needed to grant additional rights ie UPDATE so as orders could be updated and finally DELETE so as orders could be removed.

NOW Clearly this opens me to major vunerabilities.

I wanted to have you all share your thoughts on the following.

a) How do you , in a similar situation, grant user access to DB's and
b) add functions to your form data handling to prevent SQL injection.

Database Password Security
Why is it advisable to place scripts which contain details of your
login and password outside of the publicly accessible web area on your
server.

Surely if the files that contain the details are given a php extension
then no-one can get at the information contained by these files even
if they point their browsers directly at the correct named file,
because apache will parse the php file before it is sent.

i.e.

if the file is called options.php and it resides in the web root
directory and contains the following ;-

<?php
define('DBUSER', 'Username') ;
define('DBPASS', 'Password123') ;
?>

If a web user points their browser directly at this page they will
just get a blank page - is there another way of gaining access to the
contents of this file that I am overlooking?

Database Security Code
I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?

Is there anything else to consider to make a database more secure?

In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php

But as it would now be outsite the root, how would I be able to get to the
password.php file?

I have also read a bit that you can assign privelages (similar I guess to
rwe for a directory / file) but to the database access, but can't find
anything about it. Is there a good (beginners) guide to privelages?

Any just incase, I did RTFM, but there are many versions which make it
confusing on who is right.

Form Security For Database
I don't find anywhere the answer to my question so I try to ask here.
I have in my pages different form fields ("find", "password", "message").
I know that is easy for an hacker to have information about my database
creating an error, or to enter in the secret zone...

So, what kind of contol or what I have to strip/erase from the input to have
a security (or almost)?
Is it a different control for different fields?

Database Security Issues
All is fine and good
except for one problem. Here it is:

In order to provide connectivity to the database, I've created a file called
database.php which is readable only by the Apache web server.

It contained the following:

<?php

function database() {
$db = mysql_connect("localhost", "mtlstats", /* the password */);
mysql_select_db("mtlstats", $db);
return $db;
}

?>

I quickly realized that even though nobody could read the password from the
file, there was nothing preventing the other people with accounts on my web
server, from including this file into one of their own php scripts, and
hijacking the database. I therefore made a change, so that it would only
work when called from a file in the /mtlstats directory.

The file now reads as follows:

<?php

function database() {
if(strpos($PHP_SELF, "/mtlstats/") === 0) {
$db = mysql_connect("localhost", "mtlstats", /* the password */);
mysql_select_db("mtlstats", $db);
return $db;
}
return NULL;
}

?>

Unfortunately, I've discovered that although $PHP_SELF normally returns the
name of the file being processed by the server, when called from within a
function, it returns NULL for some reason. Can anyone suggest an
alternative means of correcting this problem?

Database Insert
I want to insert data into two tables of a database. Basically i want to insert into table1 then use the automatically generated auto increment id number as a variable in the second part of the insert. any ideas how to go about doing this?

Insert Into Database
I am currently working on committing this to the database. however my problem is that not all of these fields may be populated. For example q3c may be left blank therefore only two records need committing to the db instead of three. Code:

Database Insert
ive wrote a very simple News Script, but the only way i can add news to it is iva PHPmyadmin. I have no idea how to write the code to insert the information into a database.

Insert To Database
i want to do a simple insert into my database. The code works but nothing is inserted. I have removed the usernames and passwords for obvious reasons. Code:

Security Of Database Connecting Scripts
Is it insecure to have all pages of a site require a common.php page that has the sole purpose of connecting to the database??

If someone found the location of this could they not require it on there webpage and manipulate my database?

BBcode, Forms And Database Security
I have a form where the user can enter some BBcode to style text but I am really concerned about database security.

When I submit a form, I use stripslashes to get rid of the crap before it enters the database but will this affect the BBcode as it has a slash i.e. [/tag]

What is the best way so i can insert the BBcode or the converted HTML into my database without compromising my database?

Insert Into Mysql Database
It sounds very simple, but for some reason I just can't figure it out, and it will save a lots of time to me, if someone can direct me into the right direction. I was trying to input data into mysql table through post method, but it was not working. I made it simple and just tried to enter anything from a php file, but it does not work, so there is something that i am doing wrong with the insertion query.

$link = mysql_connect($hostName, $userName, $password);
echo("connected");

mysql_select_db($databaseName, $link);
echo("database selected");
echo ($databaseName);

mysql_query("INSERT INTO image VALES('','','','','','','','','', 'hello', '', '', '','','','','')", $link);

echo ("done");

I am trying to enter into one of those fields, but it does not populate the table in mysql database.

Can't Write In The Database Using INSERT INTO
This is my script:

$table_to_use = "irr_accounts";
include ($_SERVER['DOCUMENT_ROOT'].'/snippets/cnx.php');

$query = "INSERT INTO $table_to_use (account_number, handling_branch, acct_type, school, address, street, city, contact_person, contact_number, first_name, last_name, date_applied, date_approved, end_date, status) VALUES

('$account_number', '$handling_branch', '$account_type', '$school', '$address', '$street', '$city', '$contact_person', '$contact_number', '$first_name', '$last_name', ༼-00-00', ༼-00-00', ༼-00-00', '$status')";

mysql_query("COMMIT");

Trying To Insert Data In A Database
I am trying to insert data in a database
Code:

Insert A Image To The Database
I tried to insert a image to the database but whenever I do I get a error message called 'invalid hex code' any idea guys?

Get And Insert Info Into Database
I have one table (form) that has multiple fields. Here are few fields we need to know: ID, NAME, CITY, STATE, PROFESSION, x, y, z (x, y, z means more than 50 fields that give me more information about each name).

The ID and NAME are unique and they don't change (each name has it's own ID). A NAME and its ID can be in any CITY, STATE or PROFESSION but this is fixed. That means if ID# 123 for Mr JOHN is Austin, TX, that will stay in Austin, TX for ever. I have more than 5000 NAME and it's ID, 9 professions, all US States and all Cities in my database.

Here is what I need to do:
I want to have a form on my site that my visitor finds his name first and then enters more information about him/her that will complete my database fields of x,y,z. What I'm thinking to do is to create a drop down list that the visitor first selects the profession. Based on the profession the second list shows the states that has that profession. Then by selecting the state, all the available cities will show up in the third list, and by selecting the city all the names related to that profession in that city, state will show up and he can select the name from the forth list. Then he enters other required information about him that will be send and saved in the database.

Here is what I have done and I know to do so far:
I have created the database with all the information in one table. I also know how to send data to database to be saved. But my problem at this point is how to create this list selection that narrows the search to find the right person.

How Do I INSERT A Value That Contains A Variable Into A MySQL Database?
I'm trying to insert values into my database that contain a variable
that gets incremented by one for each item in a shopping cart.
item_name becomes item_name1, item_name2, item_name3, and so on for
the total number of items in the cart.

This code works great when i only have one shopping cart item to deal
with.....

Insert Form Info Into Database
i am trying to enter info from a form into a mysql database. when i submit the form, a new row is created, but the information isn't contained in it? any thoughts? PHP Code:

To Insert Array Value In Database---important
ihad an array in php and iwant to insert its value in database
the coding is:

<?php
$nv_pairs = explode('&',$query_string);
$array[50];
list ($name, $value) = explode ('=',$nv_pairs);
$i = 0;
foreach($nv_pairs as $array[$i]) {
$array[$i]=
preg_replace('/\%0d%0a+/',"     
;          
;          
;          
;          
;          
; ",$array[$i]);
$array[$i]= urldecode ($array[$i]);
$array[$i]= preg_replace('/d*=/', " ",$array[$i]);
$array[$i]= urldecode ($array[$i]);
$i++;
}
ksort($array);
while(list($key,$value)=each($array)) {
if (preg_match("/d+/",$value)) {
echo "        
        
        
        
        
        
   $value";
}
else {
echo " $value";
}
}
?>

Issue Insert ' Into Database From Form
I am unable to insert a ' through a form into my data base here where it is messing up i believe: PHP Code:

Insert New Record To Database Without Duplicating
Is there a simple way when inserting a new record to a database to only execute if it is not duplicating an existing record? The way I would currently do this is to query the database first with the new values and see if I get a match, but is there simpler way?

Unable To Insert All My Values Into The Database
I have an error in my code because its not inserting my $_session['identity'] into the database. I know the session has a value because I am able to display it on the page. it just wont insert it into the database. Code:

Can't Insert Record Into Access Database
I'm trying to create a registration/login script using Access 2003. I'm using ADOdb to connect through ODBC.

The problem is that I get the little custom error Could Not Connect to Server when I try to insert a record, yet when I use the form with a username I inserted through Access it reads it just fine and returns if the username has been used. Also if I removed line line 23 or die('Could Not Connect to Server'); and it'll complete the script, but it won't insert the record. Code:

How To Insert Arrays Into Mysql Database
This is my order.php file. Now I try to make a new php-file for processing the ordered items on this page, into another table "ordered_products" in the database. I want to INPUT following values into the table "ordered_products":
'order_num', 'order_item' and 'order_ant'

I know how to insert rows in a table using the INSERT query, but I don't know how to do it while looping the arrays. I have to fetch the arrays from this page, and insert them row by row in the "ordered_products" table. Code:

Insert To Database On Page Load
I have the code for inserting data to a database form a form (Code below) but I want the data to be entered upon a page loading, how would I do this? Code:

Dynamic Insert Of POST Data Into Database
I have two tables one with game data ie visitor team home team so on and so forth and one with team name and team id, this info is pulled into a dynamic form. I can get the data from the form ok

foreach($_POST as $key => $value){
echo "$key:$value";
}

when I echo the info it gives me the correct output

game1:7 game1id:513
game2:14 game2id:514

I have columns in the database that correspond to the form var fields What my question is is how do I get the info into the database through each iteration in one row?

This is an example I have tried and I know doesn't work

$sql = "INSERT INTO teampicks ($key) VALUES('". $value ."')";
$res = mysql_query($sql);

Text With Quote To Insert In A Mysql Database
i have a text field in a mysql database, how can i insert text with quote ( ' ).

Insert Data From Form To MySQL Database
I have run createTable.php and everything is created. Now I want to run insertData.php. I want the user to enter stuff in the form & everything must be fill in before they click the submit button. It will call submitData() & all the information was enter will insert into the database. PHP Code:

Insert Multiple Variables Into A Database Quickly
I've just started using PHP and have written a small script to insert 10 variables into my database, e.g:

$query = "insert into items values
('".$q1."', '".$q2."', '".$q3."', '".$q4."', '".$q5."','".$q6."', '".$q7."', '".$q8."', '".$q9."', '".$q10."')";

The problem is, I will eventually need 300 questions so I don't want to list them all individually. How can change this snippet of code so that it says something along the lines of "please insert all the variables q1-q300 into the database"?

Simplify Insert-update-delete From Database
I'm looking for some functions or objects allowing to
select-insert-update-delete from any table in a mysql database without the
need to create a new query every time. Example:

selectdatas(array('field1','field2','fieldn'),arra y('table1','tablen'),array('left
join,idy','inner join, idx'))

then the function build the query, execute it and then return an object with
the query result.

I must build a database driven site that is 90% of the time spent on
building queries. If I may avoid build them manually it will help me a lot
and let me gain some days of programming.

Safe Mode To Insert Data In Database?
Hi what is the safe(est) mode to insert data (exmple email address) into database?
Example:

$query_return = mysql_query("INSERT INTO e_group (e_group_email) VALUES ('".$_POST['e_group_email]");
if(!$query_return) {
echo mysql_error();
exit;}

I heard about a slash (/) to put is somewhere when I want to email dont be a cached on the fly between a post and inserted into dbase - I think its good for a password too.

Insert Server Date / Time Into Database
I currently have the following to insert a variable into a database:

$zip = $db->escape($_POST['zip']);
$db->query("INSERT INTO zip SET zips = '$zip'");

I would like to also add the date & time the submission was made.

Unable To Insert User Input Into Ms Sql Database.
i have tried to insert user input into ms sql database but still unable to do so. my code has no errors in it. its just that the user input cannot be submitted into the ms sql database. Code:

What Is Indexing In Mysql And How It Will Be Useful And How We Can Retrieve Database Content Easily From A Database Table Containing About 5lakhs Datas
I need to select data from a database table containing huge amount of
data. Now I am storing data using one primary key and I am just using
simple select statement, and this process gives me the output but it is
taking long to execute the query. As much I had heared I want to use
some indexing or cluster indexing which might help me but I am not so
familiar with these things.

Security
Do you know where can I find something about security? it means encription and all that? can I do it with PHP?

PHP And Security??
I am very new with php and web content in general, and my concern is with my novice ability leaving huge secuirty holes for any joker to have there way with.

Here is my current thought.

If I have a php script in a public html fodler named index.php3 how secure is this if at all.

Say I have a line like:
MySql_pconnect("host","account","passowrd");

How easy is it for people to get the host,account,password.

Security
For security reasons I want to know more about (1)where session store its info and (2)what "single sign on" is. Does anybody know any articles about these subjects, or does anyone know the answers to these 2 questions?

PDF Security
This is where the security problem is POSTED

Is there anything we could server side?

In the meanwhile I am turning off on each client's domain the user PDF uploading capability (where it is allowed) and restrict to the domain admin side that capability.

Security
I have some weak points in security side /php/ !!!so
I want to IMPROVE my skils in php security . !!!! , pleeeeez if you
have any resrces or any for example ebook

PHP Security
Well I am trying to secure my PHP site a bit better and I wanted to ask a few peoples oppinions on security. I have read the PHP Manual security page and a few tutorials for securing my site a bit better.

What I wanted some oppinions on was the Address that is displayed in the browser....
http://www.***********.com/itemdetails.php?products_id=11

I was curious if there is any way I can hide that so maybe it says http://www.********/<itemname>/. Is there a way in PHP I can fake the address bar at the top? Or, is this even the most effective way. Is there a better way of doing something with the address bar so it doesnt reveal so much information about my website layout.

Security
does anyone know how i could send information eg credit card details to my database which is mysql. i know this isnt the most secure database as it is connected via the internet but that doesnt matter to me. any example code would be of great help to me. i will be using drop down menus and forms.

Security In Php
I'm doing ok for a newbie in php, but i just have a few questions as far as security goes. i am actually a java programmer, so from my experience with an object oriented language i would like to use encapsulation and other methods used in java with php for example i would like to make a php page that handles my database connection and has a whole lot of functions that i can call as i need them instead of re-coding the connection each time. i know that i can use 'require('****.php')' and 'include('xxx.php')' to get access to the code in xxx.php but can i extend and override the functions in xxx.php and is it safe to connect to a database in this way?

i also wanted to know if it more secure to put a php script in the same web page or to make a page that contains the script and another html page that uses a form to goto the the php page? and finally i just want to know if anyone knows of any good reading material on the topic of intergrating java with php (except the php manual) ....

PHP Security
I'm working on developing an application in PHP4/MySQL and I've got very little experience with either. Most of my work is in ASP/Access and compiled programs. The app that I'm developing doesn't need to be perfectly secure, but I want to avoid common pitfalls, and I have no idea where to start.

From your experience, what are some common security pitfalls that are inherent in the language? I shouldn't have any trouble with program logic being an issue, just stuff that may be PHP specific. (Like the User being able to put anything that they'd like in the QueryString and having that show up as a variable in the script).

PHP Security
I am developing an online application and the last thing I need to get
a handle on is security.
This app is very heavy with forms. Business critical data will be
entered via forms and inserted in to a database (mysql).

I've google "php security" and from what I've read, I should:

1) Filter all form data by stripping all non-alpha/numeric characters
out,

2) Have the database on a different server,

3) Use "POST" not "GET",

4) Turn global variables off.

5) Use sessions for logins

Should this do it? Or do I need more precautions?
Even with all this can I still get hacked?

Security
What is more secure ?

Encrypt data using php functions before send it to database (mysql), or
Encrypt directly on database, using encryption functions of database
server ?

Ex:

$key = "this is a secret key";
$input = "Let us meet at 9 o'clock at the secret place.";
---
$encrypted_data = mcrypt_ecb (MCRYPT_AES, $key, $input,
MCRYPT_ENCRYPT);
or
$query = "insert into myTable (text)
values(AES_ENCRYPT('".$input."','".$key."'))";

I think encrypt data directly with php is better because the
information is sent directly encrypted to database server, but i not
sure.

Security
Im trying to create a forum on my website. I use PHP and store the
messages in a mySQL dataqbase. Messages can be entered in a textarea.
What should i do to prevent that user enter code (javascript or php or
mysql or ...) that can be executed when i show a message with html? Is
it enough to use htmlspecialchar()?
Any tips?

PHP Security
I am fairly new to the php scene but have managed to learn quite a bit from you folks and other resources on the web. I have developed a few scripts that actually work. LOL.

I ran across a post on here mentioning Chris Shiflett and took a trip over to his site. He has some intriguing articles on the security of php scripts. However, he doesn't get into much detail as it would seem he writes for a more advanced crowd.

Anyway, what I am looking for now is more information on securing these scripts. Know a good book? Maybe a good website? By all means, let me know!

Security
I read up and created my first script yesterday. It goes to a MYSQL server and runs a series of queries on multiple tables to create a field of keywords for a web application we run. It works great. However, the script includes the username and password to log into our database. What do I need to do to make this secure? It needs to be run a couple times per day.

If I put persmissions at 400, 600 or 700, (as I have read some suggest) it will not run from a web browser. If I put it at 751 or 755 it will run, but I don't know if I am opening myself up for problems. If I keep it at say 400, 600 or 700, how do I run the script?