beveiligen tegen injectie mysql

[daniel19]

hi iedereen

hoe moet ik mijn php beveiligen tegen injectie mysql?
ik heb include gebruikt in mijn php.
welke maatregelen moet ik nemen met insert.php tegen injectie?

//form.php

<?php

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tr>
<td><form name="form1" method="post" action="insert_ac.php">
<table width="100%" border="0" cellspacing="1" cellpadding="3">
<tr>
<td colspan="3"><strong>Insert Data Into mySQL Database </strong></td>
</tr>
<tr>
<td width="71">Name</td>
<td width="6">:</td>
<td width="301"><input name="name" type="text" id="name"></td>
</tr>
<tr>
<td>Lastname</td>
<td>:</td>
<td><input name="lastname" type="text" id="lastname"></td>
</tr>
<tr>
<td>Email</td>
<td>:</td>
<td><input name="email" type="text" id="email"></td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</form>
</td>
</tr>
</table>

?>

//insert.php

<?php


$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="test_mysql"; // Table name

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
 

// Get values from form
$name=$_POST['name'];
$lastname=$_POST['lastname'];
$email=$_POST['email'];

// Insert data into mysql
$sql="INSERT INTO $tbl_name(name, lastname, email)VALUES('$name', '$lastname', '$email')";
$result=mysql_query($sql);

// if successfully insert data into database, displays message "Successful".
if($result){
echo strip_tags("Successful");
echo strip_tags("<BR>");
echo strip_tags("<a href='insert.php'>Back to main page</a>");
}

else {
echo "ERROR";
}

// close connection
mysql_close();
?>

ik heb de strip_tags() ingevoerd.

alvast bedankt

groeten van jim

 

[RogerS]

In ieder geval al eens strip_tags() rond de verschillende strings toepassen.