shane_is_my_name — 2010-03-31T01:24:54-04:00 — #1
Hello, I have an online form where a customer answers over 50 questions. it gets emailed to me... then I manually enter most of the data into a mysql database (via website / php)...
I want to just set the form to automatically populate the mysql database... but is this kind of dangerous since before only i had access to the database, but now the form would have access, and anybody basically)?
it would save me alot of manual data entry, but is it worth it just to keep the customers seperated from my database?
just looking for opinions
guelphdad — 2010-03-31T07:19:10-04:00 — #2
sanitize the data before it goes in the table. look up sql injections and plan accordingly. in php for instance you can use mysql_real_escape_string function.
how many large sites do you think manually load data into their forms after retrieving it in an email?
shane_is_my_name — 2010-03-31T13:44:32-04:00 — #3
I was initially trying to have the email itself piped so that i could populate the table, but I could not comprehend the procedure at all. I read & researched all day & night.. it's just too complicated for me. lol. unfortunately.
So then I decided to just have the form go directly into the mysql database once they submitted it...
thanks for pointing out the mysql_real_escape_string... I'm definately goingto use that... would I still need to use parameterized SQL or stored procedures? Asking because they seem to be much more complicated to understand.. but If its best to use all, then I'll start trying to figure them out as well.
thanks for your time...
Im still learning.