güvenlik sql tablosunu korumak

basit bi sipariş kodu var sql yada başka bi kod kullanarak taploları silebilirlermi

korumak için ne yapmak gerekli
b.php

<?php
 
 
$abone_istek_oku=$_GET['abone_istek_oku'];
if ($abone_istek_oku=="" || !is_numeric($abone_istek_oku)) {
$abone_istek_oku=1;
}
$kacar=4;
$kayit_sayisi=mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM abone"));
$abone_istek_oku_sayisi=$kayit_sayisi['0']/$kacar;
if ($kayit_sayisi%$kacar!=0) {
$abone_istek_oku_sayisi++;
}
 
 
$nerden=($abone_istek_oku*$kacar)-$kacar;
$sorgu=mysql_query("SELECT * FROM abone  ORDER BY id desc LIMIT $nerden,$kacar");
 
 
for ($i=1; $i<=$abone_istek_oku_sayisi; $i++) {
echo "<a href=index.php?abone_istek_oku=$i>$i</a> ";
}
 
 
 
while ($kayit=mysql_fetch_array($sorgu)) {
$mesajid=$kayit['id']; 
 
echo "<br>=============================<br>";
echo "<br><a href=sil2.php?mesajid=$mesajid>*sil*</a><br> ";
 
 
echo "
<font color=red><b>Tarih Saat......:</b></font><b>" . $kayit['zaman'] ."</b><br>
<font color=red><b>Abone İsmi.....:</b></font><b>" . $kayit['isim'] ."</b><br>
<font color=red><b>Abone Nu.......:</b></font><b>" . $kayit['abonenu'] ."</b><br>
<font color=red><b>Telefon.........:</b></font><b>" . $kayit['istek'] ."</b><br><br>";
}
 
 
?>

index.php

<?php
 
 
/* Config Section */
$pass  = '123456';    // Sifreyi buraya giriniz...
$cookiename = 'sascookie';    // Optional change: Cookie'ye isim veriniz.Basta geçerli olan sascookie dir.
$expirytime = time()+3600;    // Optional change: Sifrenin geçerli oldugu süre "saniye olarak". Basta geçerli olan 1 saatdir.
$msg  = 'Sifre Yanlis.'; // Optional change: parola yanlis mesajidir.basta geçerli olan "Sifre Yanlis"dir.
/* End Config */
/* Logout Stuff - Sept 5, 2005 */
if (isset($_REQUEST['logout'])) {
 setcookie($cookiename,'',time() - 3600);       // remove cookie/password
 if (substr($_SERVER['REQUEST_URI'],-12)=='?logout=true') {   // if there is '?logout=true' in the URL
  $url=str_replace('?logout=true','',$_SERVER['REQUEST_URI']); // remove the string '?logout=true' from the URL
  header('Location: '.$url);          // redirect the browser to original URL
 }
 show_login_page('');
 exit();
}
$logout_button='<form action="'.$_SERVER['REQUEST_URI'].'" method="post"><input type="submit" name="logout" value="Logout" /></form>';
$logout_text='<a href="'.$_SERVER['REQUEST_URI'].'?logout=true">Logout</a>';
/* End Logout Stuff */
/* FUNCTIONS */
$encrypt_pass=md5($pass); // encrypt password
function setmycookie() {
global $cookiename,$encrypt_pass,$expirytime;
setcookie($cookiename,$encrypt_pass,$expirytime);
} 
function show_login_page($msg) {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Admin Girişi</title>
<style type="text/css">
<!--
.error {color:#A80000}
body {font:90% Verdana, Arial, sans-serif;color:#404040}
#wrapper {width:800px;margin:0 auto;border:1px solid #606060}
#main {text-align:center;padding:15px}
#header {font:bold 130% Verdana, Arial, sans-serif;color:#DDDDDD;width:100%;height:5em;text-align:center;background:#A80000;line-height:5em}
#mid {margin:5em 0 5em 0}
#footer {font-size:75%;text-align:center;width:100%}
input {border:1px solid #606060; background: #DDDDDD}
-->
</style>
</head>
<body>
<div id="wrapper">
 <div id="header">Admin Girişi</div>
    <div id="main">
 <div id="mid">
  <form action="" method="POST">
   Şifre:&nbsp;
   <input type="password" name="password" size="20">&nbsp;
   <input type="submit" value="Giriş">
   <input type="hidden" name="sub" value="sub">
  </form>
  <div class=error><?=$msg?></div>
 </div>
</div>
</div>
</body>
</html>
 
 
 
<? }
/* END FUNCTIONS */
$errormsg='';
 if (isset($_POST['sub'])) {      // if form has been submitted
  $submitted_pass=md5($_POST['password']); // encrypt submitted password
  if ($submitted_pass<>$encrypt_pass) {  // if password is incorrect
   $errormsg=$msg;
   show_login_page($errormsg);
   exit();
  } else {         // if password is correct
   setmycookie();
  }
 } else {
  if (isset($_COOKIE[$cookiename])) {   // if cookie isset
   if ($_COOKIE[$cookiename]==$encrypt_pass) { // if cookie is correct
      // do nothing
   } else {        // if cookie is incorrect
    show_login_page($errormsg);
    exit();
   }
  } else {         // if cookie is not set
   show_login_page($errormsg);
   exit();
  }
 }
?>
 
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Admin Sayfası</title>
<style type="text/css">
<!--
.error {color:#A80000}
body {font:90% Verdana, Arial, sans-serif;color:#404040}
#wrapper {width:800px;margin:0 auto;border:1px solid #606060}
#main {text-align:center;padding:15px}
#header {font:bold 130% Verdana, Arial, sans-serif;color:#DDDDDD;width:100%;height:5em;text-align:center;background:#A80000;line-height:5em}
#mid {margin:5em 0 5em 0}
#footer {font-size:75%;text-align:center;width:100%}
input {border:1px solid #606060; background: #DDDDDD}
-->
</style>
</head>
<body> <body bgcolor="#ccffff">
<div id="wrapper">
 <div id="header">Admin Sayfası</div>
 
 
 
 
<table width="50%" height="100%" border="0" align="left">  
<tr>
<td>
 
<font face="comic sans ms" size="5" color="#0000ff">Yeni Üye</font> <br> 
 
<div align="left">
 
<?php
 
include("ayar.php");
 
 
 
include("a.php");
 
?>
 
</div>
 
 
</td>
</tr>
</table>
 
 
 
<table width="50%" height="100%" border="0" align="left">
<tr>
<td>
 
<font face="comic sans ms" size="5" color="#0000ff">Abone</font> <br> 
 
<div align="left">
 
<?php
 
 
 
include("ayar.php");
 
 
include("b.php");
?>
 
</div>
 
</td>
</tr>
</table>
 
 
</body>
</html>

sil.php

<?php
 
include("ayar.php");
$id=$_GET['mesajid'];
 
$sorgu=mysql_query("DELETE  FROM siparis where id='$id'");
if($sorgu) {
 
header("location:index.php");
}else{
echo"veri silinmedi";
}
 
?>

kullanıcılardan gelen verileri sql güvenliği açısından:
addslashes, mysql_escape_string, htmlspecialchars gibi fonksiyonlarla filtreleyiniz.

örn:
ekran görüntüsü:
olacaktır. sql de ' karakteri özel bir karakterdir güvenlik açısından ters slash \ ile etkisiz hale getirilmesi gerekmektedir.

internette daha ayrıntılı makaleler bulabilirsiniz ama temel olarak böyle.

if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

kullanım:
sayılar için GetSQLValueString($_GET['id'], "int") yada metinler için GetSQLValueString($_POST['veri'], "text")

sorgu içinde:
$sql = "INSERT INTO tablo (alan,alan2) VALUES(".GetSQLValueString($_GET['id'], "int").", ".GetSQLValueString($_POST['veri'], "text").")";

özet: verinin içindeki tırnakları \' haline getirir ve verinin sonuna-başına ' ekler. doğrudan sql'e hazırlar yani.

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")  
{ 
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; 
  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); 
  switch ($theType) { 
    case "text": 
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; 
      break;     
    case "long": 
    case "int": 
      $theValue = ($theValue != "") ? intval($theValue) : "NULL"; 
      break; 
    case "double": 
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; 
      break; 
    case "date": 
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; 
      break; 
    case "defined": 
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; 
      break; 
  } 
  return $theValue; 
}  
 
 
$isim= GetSQLValueString($_GET['isim'], "text");
$abonenu = GetSQLValueString($_GET['abonenu'], "text");
$istek = GetSQLValueString($_GET['istek'], "text");
$zaman = GetSQLValueString($_GET['date("d.m.Y,H:i",time())'], "text");
 
 
$sorgu = "INSERT INTO abone (alan,alan2) VALUES(".GetSQLValueString($_GET['isim'], "text").", ".GetSQLValueString($_GET['abonenu'], "text").",".GetSQLValueString($_POST['istek'], "text").")";
 
$sorgu=mysql_query("INSERT INTO abone (isim, abonenu, istek, zaman) values ('$isim', '$abonenu','$istek','$zaman')");
 
if ($sorgu) {
echo "<font color=#ffffff><b> ** SİPARİŞİNİZ ALINDI **</b></font><br><br>";
}else{
echo "<font color=#ffffff><b>ÜZGÜNÜZ :(  ** LÜTFEN TEKRAR DENEYİN **</b></font><br><br>";
}
 
?>

sanrm yanlış oldu küçük bi ornek gösterebilirmisiniz

boyle kaydediyo

Tarih Saat......:NULL
Abone İsmi.....:NULL
Abone Nu.......:NULL
Telefon.........:NULL


<?php

include("ayar.php");


$isim=$_POST['isim'];
$abonenu=$_POST['abonenu'];
$istek=$_POST['istek'];

$zaman = date("d.m.Y,H:i",time());
$sorgu=mysql_query("INSERT INTO abone (isim, abonenu, istek, zaman) values ('$isim', '$abonenu','$istek','$zaman')");


if ($sorgu) {
echo "<font color=#ffffff><b> ** SİPARİŞİNİZ ALINDI **</b></font><br><br>";
}else{
echo "<font color=#ffffff><b>ÜZGÜNÜZ ** LÜTFEN TEKRAR DENEYİN **</b></font><br><br>";
}


?>

$sorgu=mysql_query("INSERT INTO abone (isim, abonenu, istek, zaman) values ('$isim', '$abonenu','$istek','$zaman')");

değerleri ' içine alma. zaten GetSQLValueString fonkyisonu yapıyor o işi. o yüzden hata alırsın.

hata tam olarak nerde


function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}

include("ayar.php");



$isim= GetSQLValueString($_GET['isim'], "text");
$abonenu = GetSQLValueString($_GET['abonenu'], "text");
$istek = GetSQLValueString($_GET['istek'], "text");
$zaman = GetSQLValueString($_GET['date("d.m.Y,H:i",time())'], "text");


$sorgu = "INSERT INTO abone (isim,abonenu,istek,zaman) VALUES(".GetSQLValueString($_GET['isim'], "text").", ".GetSQLValueString($_GET['abonenu'], "text").",".GetSQLValueString($_POST['istek'], "text").",".GetSQLValueString($_POST['zaman'], "text").")";

$sorgu=mysql_query("INSERT INTO abone (isim, abonenu, istek, zaman) values ('$isim', '$abonenu','$istek','$zaman')");