php / mysql sorting issue and form sanitizing?

Question

I'm pretty new to scripting but I've been following code logic pretty well. I've got two working scripts (posted below,) one that posts a form to a mysql database and another the pulls up the information on a same page in a table. I'm having trouble finding help on the following things I want to accomplish.

1.) Sanitizing the form, I've been told it's very open to injection/other. The most people will submit is text, and I'd like for them to eventually be able to post html links that are called up and clickable by the second script.

2.) I want the callback script to sort the information so that the most recent post is on top. (can I create a new mysql column alongside category and contents called "date" that auto detects the date/time and uses it for sorting? I'd love to see some example code of that.

Here's the submit form

<html>
<div style="width:  330px;  height:  130px;  overflow:  auto;">
<form STYLE="color: #f4d468;" action="send_post.php" method="post">

    Category: <select STYLE="color: #919191; font-family: Veranda; font-weight: bold; font-size: 10px; background-color: #000000;" name="category">
<option value="category 1">category 1</option>
<option value="category 2">category 2</option>
<option value="category 3">category 3</option>
<option value="Other">Other</option>
</select> <br>

    <textarea overflow: scroll; rows="4" cols="60" STYLE="color: #919191; font-family: Veranda; font-weight: bold; font-size: 10px; background-color: #000000; width:300px; height:80px; margin:0; padding:0;" name="contents"></textarea><br>
    <input type="submit" STYLE="color: #919191; font-family: Veranda; font-weight: bold; font-size: 10px; background-color: #000000;" value="Create Log">
</form>
</div>
</html>

sendpost.php

<?php
//Connecting to sql db.
$connect=mysqli_connect("localhost","myuser","mypassword","mydb");

header("Location: http://mywebsite.com/myhomepage.php");

if (mysqli_connect_errno()) { echo "Fail"; } else { echo "Success"; }

//Sending form data to sql db.
mysqli_query($connect,"INSERT INTO mydbtable (category, contents)
VALUES ('$_POST[category]', '$_POST[contents]')");

?>

And the get php to call it back on the page

<?php
$con=mysqli_connect("localhost","myuser","mypassword","mydb");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$result = mysqli_query($con,"SELECT * FROM mydbtable");

echo "<table border='1'>
<tr>
<th>Category</th>
<th>Contents</th>
</tr>";

while($row = mysqli_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['category'] . "</td>";
  echo "<td>" . $row['contents'] . "</td>";
  echo "</tr>";
  }
echo "</table>";

mysqli_close($con);
?> 

Also in the cases of connecting with the $con=mysqli_connect command in two of the scripts, is that basically exposed? Can't someone just get to the php and see that information?

I really appreciate the help, very willing to read and learn the right way to do things!

Answer 1

These two questions will help you.

1. How can I prevent SQL injection in PHP?

2. How can I specify sql sort order in sql query

   SELECT * FROM mydbtable ORDER BY date
   

---

And for having db passwords and connections in the open... typically people just include that php file (even though it doesn't make it any safer). However, if you have root access to your filing systems, you could put it in a high enough directory where it is above your htdocs, and it won't be accessible by url.

dbconnect.php

$con=mysqli_connect("localhost","myuser","mypassword","mydb");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

index.php

include 'dbconnect.php';

However, this doesn't actually make it any safer, it only is convenient that you won't accidentally post your code with your password.