Member Biographies: Submit via Form to Database

[Trill]

If a mod feels this thread would fit better in Code Requests, feel free to move the thread. I posted in the Programming board because this isn't the usual HTML/JavaScript request you'd find in the other board.

Hi!

I have a free 000webhost.com account and I haven't done anything with MySQL, databases, PHP, or similar things. In fact, I don't really know what I'd be using in this request, so hopefully someone could help me out!

On my ProBoards forum, I'd like to give my members an area where they can include a biography in their profile. However, due to character limits and everything, this wouldn't be possible with just JavaScript. I'd create a little HTML form on the members' profile where they can type/paste a text-only (exclude < brackets > to prevent any injection/abuse) biography about themselves for other members to view. What they submit in the form would be sent to the off-site database, and then on the next profile page view of that member, the biography would appear.

What I'm looking for is some help with creating the code to send the bio to the database, and another code to extract the bio of the member when viewing his/her profile.

If this means anything, I can have 2 MySQL databases, and PHP is available with my 000webhost account.

Thanks so much in advance for any help!

[Bennett 🚀]

I could help you with this! Sounds like something I already do. We can chat some time.

[Trill]

Thanks. How should I start this? The HTML form is easy, so I could whip that up quickly, but I don't know how I'd have the data submitted sent to the database. Is this a good place to start?

[Bennett 🚀]

Yes, it is. I'll PM you information that i need.

[Trill]

Dec 29, 2010 13:31:06 GMT -8 Bennett 🚀 said:

Yes, it is. I'll PM you information that i need.

Thanks Just PMd you the username and password for the ghv3.comyr.com account at 000webhost.

[Bennett 🚀]

Thank you, I'll get working on this.

[Trill]

Thanks very much

[Bennett 🚀]

My pleasure

[Trill]

Let me know if there's anything I can do to help out

[iDunk]

I'd like to point out that until there is an API (at least authentication) from ProBoards, add-ons like this that require passing data to another server are going to be fairly simple to compromise. Where these are member bios I suppose it isn't as big of a deal, but just keep in mind.

[Trill]

Thanks for the info iDunk. I thought about possible javascript injections and things like that, but I don't think that will be much of a problem at my forum. There are probably a few members that could figure out things like that, but member biographies would be kept backed up in a thread on the forum as well.

As far as malicious code being saved in a biography form, that's why I was hoping anything within <brackets> would be removed so there's no HTML or script that would be parsed. There are probably ways around this security measure, but hopefully nothing bad ever happens.

[Charles Stover]

To prevent code injection, just use PHP's htmlentities() when displaying the data.

[Trill]

Thanks Charles. Any update on this, Imma C. Hristmas-Tree?

[Bennett 🚀]

I have a custom function that escapes strings, so no need to do htmlentities().
And, I have practice tomorrow, and a project to finish, so I don't know when I'll get back to this. Sorry!

[Charles Stover]

Jan 4, 2011 20:52:03 GMT -8 Bennett 🚀 said:

I have a custom function that escapes strings, so no need to do htmlentities().
And, I have practice tomorrow, and a project to finish, so I don't know when I'll get back to this. Sorry!

Code injection =/= SQL injection.

Nor would you need a "custom" function when addslashes() and mysql_real_escape_string() both exist.

Anyway, code injection is to prevent HTML entered (e.g. <script>steal_password()</script>) from displaying for all users viewing the page. You would need to htmlentities() any input that is later output so that <b>bold</b> displays as <b>bold</b> instead of bold.