3
\$\begingroup\$

I made this anti SQL Injection, I tested if I can still send queries, and it is looks good. could you tell me if you see any problem I missed, before I launch this to the internet? (this is contact us form, no log in)

<?php
if(isset($_POST['submit'])) {
 $name = $_POST['username'];
 $email = $_POST['email'];
 $text = $_POST['textt'];
 $connection = mysqli_connect('localhost', 'root', '', 'database1');
 if($name && $email && $text ) {
 echo "thanks you for contacting us, we will respond within 24 hours.";
 }
 else {
 echo "Please enter name, email and your message.";
 // echo $result;
 }
 $name = mysqli_real_escape_string($connection, $name);
 $email = mysqli_real_escape_string($connection, $email);
 $text = mysqli_real_escape_string($connection, $text);
 $query = "INSERT INTO info(username,email,textt) ";
 $query .= "VALUES ('$name', '$email', '$text')";
 mysqli_query($connection, $query);
}
?>
asked Dec 28, 2019 at 17:29
\$\endgroup\$
0

1 Answer 1

5
\$\begingroup\$

For security, bind user supplied values when including them in a query.

Here's what that could look like using mysqli and the information provided https://www.php.net/manual/en/mysqli-stmt.bind-param.php 

// renamed `textt` to `text`
$stmt = $mysqli->prepare('INSERT INTO `info` (`username`,`email`,`text`) VALUES (?,?,?);');
$stmt->bind_param($username, $email, $text);
$stmt->execute();
$stmt->close();

Here's what that would look like using PDO, should that connection be considered. https://www.php.net/manual/en/pdostatement.bindparam.php

Perhaps consider renaming your column textt to something more descriptive?

Also, normally, you'd want to provide some validation on user supplied input to prevent bots and help prevent user error.

e.g. for the email address:

if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
 $email = $_POST['email'];
} else {
 // often handled with a message or alert funciton
 echo 'Please enter a valid email';
 $error = true;
}

e.g. for the username:

if(!ctype_space($_POST['username'])) {
 $username = trim($_POST['username']);
} else {
 // as before often handled by a message/alert function
 echo 'Please provide a valid email address';
 $error = true;
}

It's often helpful to store the IP address of the requester. The following can be spoofed, and there are better functions out there, but it is often better than nothing.

$ip_address = $_SERVER['REMOTE_ADDR'];

There are solutions to help ensure it's not a bot completing your form, e.g. reCAPTCHA and honey pots. They're not always appropriate from a UX, UI, security standpoint, but I feel that should be mentioned as well.

I hope this was helpful!

answered Dec 29, 2019 at 0:47
\$\endgroup\$
2
  • \$\begingroup\$ trim() the username before testing its length, not after. \$\endgroup\$ Commented Dec 29, 2019 at 7:27
  • \$\begingroup\$ We'd be better off checking for all whitespace if you want to get technical, updated. And the username suggests a name is already in the database, which could be checked. Or have a format that could be checked with regex. But then again wouldnt they be authenticated by then anyways. \$\endgroup\$ Commented Dec 29, 2019 at 15:25

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.