2

I've made a html form using Bootstrap. I've used "required" to ensure data is populated in certain fields for the form to be submitted. This form goes to a php script that opens a database connection, inputs the values as per form submitted, directs to a thank you page and closes the connection.

Its my first hand coded form and my concern is security. How do I keep hackers/spammers at bay?

Can you point out, please, issues with my code so I can address them before I put this live. Please be gentle, Im a newbie with about 3 months of coding experience.

Please note the original form actually has 9 fields but I've omitted it presuming those details wont be necessary for this discussion.

HTML Code

<form class="form-horizontal" method="post" action="vacancy.php">
  <div class="form-group">
    <label for="company" class="col-sm-3 control-label">Company Name *</label>
      <div class="col-sm-6">
        <input type="text" name="company" class="form-control" placeholder="Enter Company Name" required />
      </div>
  </div>    
  <div class="form-group">
    <label for="contactperson" class="col-sm-3 control-label">Contact Person *</label>
      <div class="col-sm-6">
        <input type="text" name="contactperson" class="form-control" placeholder="Enter Full Name" required />
      </div>
  </div>
  <div class="form-group">
    <label for="designation" class="col-sm-3 control-label">Designation *</label>
      <div class="col-sm-6">
        <input type="text" name="designation" class="form-control" placeholder="Enter Designation" required />
      </div>
  </div>  
  <div class="form-group">
    <div class="col-sm-offset-3 col-sm-6">
      <button type="submit" class="btn btn-primary">Submit</button>
      <button type="reset" class="btn btn-default">Clear</button>
    </div>
  </div>
</form>

PHP Code

<?php
  $con=mysqli_connect("localhost","db2u","password","db2");
    if (mysqli_connect_errno())
     {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
     }
  $sql="INSERT INTO vacancy (Company, ContactPerson, Designation)
  VALUES
  ('$_POST[company]','$_POST[contactperson]','$_POST[designation]')";
    if (!mysqli_query($con,$sql))
     {
      die('Error: ' . mysqli_error($con));
     }
    header("Location: thankyou.html");
  mysqli_close($con);
?>

EDIT : So it seems I need validation. Im looking at jqBootstrapValidation. Even considering htmlspecialchars (which ever is easier). I believe both would do an equally good job right? PDO is a bit too much for me at the moment.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
TheAllSeeingI
  • 171
  • 3
  • 10
  • I havent looked at your code too closely but there is no input validation. Basically at the moment you are allowing anyone to input anything including stuff that will compromise your database etc. Its a big topic but you can start easily by either using a framework such as codeigniter which does a lot of this stuff for you or get a book with some template code. The O'Reilly one called something like html php and mysql is a good place to start. – EnduroDave Feb 08 '14 at 10:50
  • possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Gumbo Feb 08 '14 at 11:13

3 Answers3

0

Your code could be compromised by SQL injection http://en.wikipedia.org/wiki/SQL_injection.

Try use htmlspecialchars or better use PDO instead of OLD and DANGEROUS mysql_* functions.

Stanislav Komanec
  • 49
  • 3
  • He’s already using MySQLi. And neither does `htmlspecialchars` help to protect against SQL injections nor is the MySQL extension dangerous, it’s just deprecated. – Gumbo Feb 08 '14 at 11:16
0

Never trust the user input. You should escape the strings with mysqli_real_escape_string() function. http://www.php.net/manual/en/mysqli.real-escape-string.php

$company = mysqli_real_escape_string($_POST[company]);

$contactperson = mysqli_real_escape_string($_POST[contactperson]);

$designation = mysqli_real_escape_string($_POST[designation]);

$sql="INSERT INTO vacancy (Company, ContactPerson, Designation) VALUES ('$company','$contactperson','$designation')";

Ed Capetti
  • 339
  • 2
  • 10
  • I would also suggest to perform some kind of validation. Does the user input make sense? E.g. check if a given email address is in a valid format before writing it to the database. – mwallisch Feb 08 '14 at 10:55
  • When I do this (and I remember trying this earlier as well), my table is empty. the ID counter increases but no data. – TheAllSeeingI Feb 08 '14 at 11:18
  • Can you comment an example of the data that you are trying to insert? – Ed Capetti Feb 08 '14 at 11:25
  • text majorly. one website. one email. phone numbers. there is one drop down for country selection. one query box. All are configured as VARCHAR(255) in mysql. – TheAllSeeingI Feb 08 '14 at 11:37
  • Try to debug it to locate the problem. `var_dump($_POST[]);` before mysqli_real_escape_string() functions. And then `var_dump($sql);` before executing the query. – Ed Capetti Feb 08 '14 at 11:41
0

You have not validated any field in your php code, you should put validation in php file too, any user can remove "required" from input and can post the data.

Shri Suresh
  • 463
  • 1
  • 5
  • 20