2
\$\begingroup\$

I have written code to send a simple email submission form to a sql table so that I can manage the data. I would like feedback on whether or not the code that I have written is efficient and secure. I have a config file that defines constants for database credentials.

HTML FORM

<form method="post" action="index.php">
 <input class="bt-email" type="email" name="email" placeholder="enter email address">
 <input class="bt-submit" type="submit" value="let's get moving!">
</form>

PHP Database Code File

try {
 $db = new PDO("mysql:host=" . DB_HOST . ";dbname=" . DB_NAME . ";port=" . DB_PORT,DB_USER,DB_PASS);
 $db->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
 $db->exec("SET NAMES 'utf8'");
} catch (Exception $e) {
 echo "Could not connect to the database.";
 exit;
}

PHP/SQL Submission Code

<?php
require_once("inc/config.php");
if ($_SERVER["REQUEST_METHOD"] == "POST") {
 $email = $_POST["email"];
 require(ROOT_PATH . "inc/database.php");
 try {
 $db->exec("REPLACE INTO launch_email VALUES ('$email')");
 } catch (Exception $e) {
 echo "Data could not be submitted to the database.";
 exit;
 }
 header("Location: index.php?status=thanks");
 exit;
}
?>
asked Apr 10, 2014 at 23:54
\$\endgroup\$

2 Answers 2

3
\$\begingroup\$

You could possibly move the database include before the server checks and sets the $_POST variable, as it would not be needed if the database is unable to connect.

I notice there is no sanitization of the email variable. This may be helpful.

answered Apr 11, 2014 at 0:53
\$\endgroup\$
1
\$\begingroup\$

I will extend mulquin's short post.

Sanitizing your POST will enable you to make sure there are no SQL injection. Since you are using PDO - you should use prepare() function reather than exec(). exec doesn't escape your query. (as shown in the link provided by mulquin)

Furthermore - you are not checking if the email is indeed an email or not what happens if its not a real email address (ie the format is not [email protected]) - you will be storing gebrish at this point. So a bit of validation so that not only spammers won't just enter anything.

answered Apr 11, 2014 at 2:45
\$\endgroup\$
1
  • \$\begingroup\$ yeah i plan on adding some server-side validation, i just wanted to see if my code was efficient and secure from a sql standpoint. thanks! \$\endgroup\$ Commented Apr 11, 2014 at 3:06

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.