CODEWITHSUNDEEP
phpmysqlsecurity
user3894741
user3894741

Reputation: 27

Securing a PHP form and MySQL database

I started using php and MySQL last week so I apologise if my lack of basic understanding is frustrating.

I have a simple html form on my website that records a name, an email address and a short message.

<form action="insert.php" method="post">
Your full name:<input type="text" name="name">
Email address:<input type="text" name="email">
Short message:<textarea cols="30" rows="3" name="message"></textarea>

And insert.php looks something like this...

<?php 
$con=mysqli_connect();
if (mysqli_connect_errno()) {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$name = mysqli_real_escape_string($con, $_POST['name']);
$email = mysqli_real_escape_string($con, $_POST['email']);
$message = mysqli_real_escape_string($con, $_POST['message']);

$sql="INSERT INTO Donators (name, email, message, date)
VALUES ('$name', '$email', '$message', NOW())";

if (!mysqli_query($con,$sql)) {
    die('Error: ' . mysqli_error($con));
}

header('Location: thankyou.php');
exit;

mysqli_close($con);
?>

This is then sent to a mysql database which i manage with php my admin.

My questions are...

  1. Is the code safe for the user i.e. are there email addresses protected?
  2. Is the code safe for me i.e. is the data being submitted protected in my database?
  3. And finally what is the best way to stop "bots" filling in the forms i.e. is recaptcha the best thing to implement? I tried using googles recaptcha but maybe because of my css or something, it didn't appear correctly.

Thank you very much for your help!

James

Upvotes: 1

Views: 1238

Answers (1)

Yves Lange
Yves Lange

Reputation: 3974

1) It's never 100% secure. The code seems find but you should be aware of new patches and releases to update your MySQL instance as well as PHP and HTTP services.

2) Again... yes and no... it's your role to be sure it is. So as long as you don't display them on any webpage we can assume it's "secure"

3) The best way is to make your own module so you won't suffer from bots that are "generics". By generic I mean those that counter generic captcha module. You can for example ask a simple humain question to the user. This should be sufficient enough to avoid the biggest spamming bots.

Best regards, hope this will help.

Upvotes: 1

Related Questions