I hope that code isn't online yet!
Originally Posted by jneiling
I guess this is bad practice?
It's not only the ancient mysql_ functions. You also give away database internals through error messages and completely failed to escape the user input. So your code is basically a playground for script kiddies to try out SQL injections
and see what they can do. I'm sure your server will be a valuable member of some Russian botnet.
Just take your very first line of code:
mysql_connect("localhost", "username", "password") or die(mysql_error());
The mysql_error() will print a nicely formatted string with both your username and password, inviting every single internet user to play with your database.
Whatever sh*tty online "tutorial" or book you go this techniques from: delete it from your browser cache, burn it, throw it away, whatever. But don't use it ever again.
The very first thing you should do is to start thinking
(as linked above) and cross-site scripting
After that, get accustomed to the already mentioned PDO
. Read the part on prepared statements
very carefully, because that's what you gonna use whenever you want to pass variables to a query.
And then you'll have to go through your whole code (not just this script) and fix all the security holes:
- delete ever mysql_error() and similar stuff. Do not display internal error messages to the user. They help attackers and irritate legitimate users.
- replace all mysql_ stuff with the corresponding PDO code. Do not piece query strings together. Use prepared statements instead.