i need a php guru

[elachys]

ok i cann't work out why this stupid frikin script doesn't work.
and yer i have deliberatly changed the username and password

here is the code in a txt, change the extension to .php

[lido884]

visit www.phppowerforums.net for help

i don't know if it's still working. their server was down last week

[scottlc]

That code is hella insecure. All you need is someone to enter "f@ke.com', NULL; drop signup;" as their emailand you're screwed royally, hope you have backups! Call mysql_escape_string on them to secure your script.

[kairi00]

Straight variables won't work anymore unless you enable the REGISTER_VAR_GLOBALS (or something like that) flag in the php config file, which is NOT recommended.

I'd recommend changing your code to this: access your form variables using $_POST["username"].

[elachys]

Quote:

That code is hella insecure

well duh, i want to get it working first.

[Keith]

Well just a few things to point out that might help .. you didn't really say what the problem was .. so I can only assume what it could be.

------------------------------
try changing

if ($mode == 'submit') {

to just

if ($submit) {

------------------------------
also noticed you use slashes in the query such as \'$name\', .. you should be able to just use '$name', .. but not sure if using the slashes would even cause a problem since I didn't test it.

------------------------------
Also on a side note for the id .. you should not have to include it in the query if you use auto_increment for the database for that field

Just a few suggestions after taking a quick glimpse

[FLaRe85]

Either set register_globals = 1 in php.ini or use $_POST["username"] to extract the POST variables like kairi said. By default, php.ini comes with register_globals disabled as a security precaution. So, if you didn't configure your PHP installation, the header variables won't be implicitly defined. Even if register_globals were enabled, it's still a good idea to extract the vars so that users can't inject values you aren't expecting into the code.

[elachys]

ok so this almost works, except the sql doesn't get added to the databse.

[Keith]

on that one .. either remove the id or add a value for the id ..

such as ..

$sql = 'INSERT INTO test(name, email, beer) VALUES
"'.addslashes($_POST['$name']).'",
"'.addslashes($_POST['$email']).'",
"'.addslashes($_POST['$beer']).'")';
$result = mysql_query($sql);

Also I think it is $_POST['name'] .. not $_POST['$name']

[elachys]

Quote:

Call mysql_escape_string on them to secure your script.

what do you mean (gimmi a example).
oh and thanks you guys, i got it to work

[scottlc]

You were given an example!

[elachys]

i mean an example of how to use mysql_escape_string to secure it.

[scottlc]

As follows:

Code:

$secure = mysql_escape_string($unsecure);

Will turn:
"this 'string' was"

Into:
"this \'string\' was"

[elachys]

luckily i worked this out before you posted.
Since someone tried it about 10 mins after i patched it !
So no damage done

[scottlc]

Well, all you had to do was look at the docs at PHP.net. FYI this is something that you should really should know by now. I was able to figure that in the 30 minutes or less that I've ever used PHP for.