3
\$\begingroup\$

I made this anti SQL Injection, I tested if I can still send queries, and it is looks good. could you tell me if you see any problem I missed, before I launch this to the internet? (this is contact us form, no log in)

<?php

if(isset($_POST['submit'])) {

    $name = $_POST['username'];
    $email =  $_POST['email'];
    $text =  $_POST['textt'];

    $connection = mysqli_connect('localhost', 'root', '',  'database1');

    if($name && $email && $text ) {

        echo  "thanks you for contacting us, we will respond within 24 hours.";
    }
    else {
        echo  "Please enter name, email and your message.";

        // echo  $result;
    }

    $name = mysqli_real_escape_string($connection, $name);

    $email = mysqli_real_escape_string($connection, $email);

    $text = mysqli_real_escape_string($connection, $text);


    $query = "INSERT INTO info(username,email,textt) ";
    $query .= "VALUES ('$name', '$email', '$text')";

    mysqli_query($connection, $query);

}

?>
\$\endgroup\$
0

1 Answer 1

Reset to default
5
\$\begingroup\$

For security, bind user supplied values when including them in a query.

Here's what that could look like using mysqli and the information provided https://www.php.net/manual/en/mysqli-stmt.bind-param.php

// renamed `textt` to `text`
$stmt = $mysqli->prepare('INSERT INTO `info` (`username`,`email`,`text`) VALUES (?,?,?);');
$stmt->bind_param($username, $email, $text);
$stmt->execute();
$stmt->close();

Here's what that would look like using PDO, should that connection be considered. https://www.php.net/manual/en/pdostatement.bindparam.php

Perhaps consider renaming your column textt to something more descriptive?

Also, normally, you'd want to provide some validation on user supplied input to prevent bots and help prevent user error.

e.g. for the email address:

if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
  $email = $_POST['email'];
} else {
  // often handled with a message or alert funciton
  echo 'Please enter a valid email';
  $error = true;
}

e.g. for the username:

if(!ctype_space($_POST['username'])) {
    $username = trim($_POST['username']);
} else {
    // as before often handled by a message/alert function
    echo 'Please provide a valid email address';
    $error = true;
}

It's often helpful to store the IP address of the requester. The following can be spoofed, and there are better functions out there, but it is often better than nothing.

$ip_address = $_SERVER['REMOTE_ADDR'];

There are solutions to help ensure it's not a bot completing your form, e.g. reCAPTCHA and honey pots. They're not always appropriate from a UX, UI, security standpoint, but I feel that should be mentioned as well.

I hope this was helpful!

\$\endgroup\$
2
  • \$\begingroup\$ trim() the username before testing its length, not after. \$\endgroup\$ Commented Dec 29, 2019 at 7:27
  • \$\begingroup\$ We'd be better off checking for all whitespace if you want to get technical, updated. And the username suggests a name is already in the database, which could be checked. Or have a format that could be checked with regex. But then again wouldnt they be authenticated by then anyways. \$\endgroup\$ Commented Dec 29, 2019 at 15:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.