How can I secure my feedback form from sql injection?

Question

I'm a complete beginner to php. My code has a feedback form that sends data to mysql. I'm not sure how to secure this against SQL injection. I would love your help.

Here is the code:

  <?php
    if(isset($_POST["send_message"])){
      $hostname='localhost';
      $username='';
      $password='';

      try {
        $dbh = new PDO("mysql:host=$hostname;dbname=dbname",$username,$password);
        $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);  
        $message = $_POST['message'];
        $sql = "INSERT INTO tbl_contact (message) VALUES ('$message')";

        if ($dbh->query($sql)) {
          include "thanks.php";
        } else{
          echo "<script type= 'text/javascript'>alert('Data not successfully Inserted.');</script>";
        }

        $dbh = null;
      } catch(PDOException $e) {
        echo $e->getMessage();
      }
    }
?>

Update: I'm trying to use prepared statements and bind parameters but I get an: Uncaught Error: Call to undefined method PDOStatement::bind_param().

Here is the updated code:

<?php
if(isset($_POST["send_message"])){
    $dbConnection = new PDO('mysql:dbname=sondagg9_submit;host=localhost;charset=utf8', 'sondagg9_travadm', 'Mc%F}SrGk5m5#t<Crb4?');
    $dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
    $dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $stmt = $dbConnection->prepare('INSERT INTO tbl_contact (message) VALUES (?)');
    $stmt->bind_param('s', $message);
    $message = $_POST['message'];
    $stmt->execute();
    $result = $stmt->get_result();
    }
?>

SOLVED: Thanks to your comments, I've been able to solve the issue this way:

<?php
if(isset($_POST["send_message"])){
    $dbConnection = new PDO('mysql:dbname=sondagg9_submit;host=localhost;charset=utf8', 'sondagg9_travadm', 'Mc%F}SrGk5m5#t<Crb4?');
    $dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
    $dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $message = $_POST['message'];
    $stmt = $dbConnection->prepare('INSERT INTO tbl_contact (message) VALUES (:message)');
    $stmt->execute([ 'message' => $_POST['message'] ]);
    }
?>

This is not a coding service, and people will not help you unless you have a specific question where you also post what you have tried to far. For me it seems that you're beginning in the wrong end. Read up on form protection against SQL-injection first, and if you can't find a good implementation, come back with a more specific question. Thank you :) — Thomas Darvik, May 11 '18 at 21:09
Use a prepared statements, and don't show errors to the user. — Qirel, May 11 '18 at 21:13
Looks like a good time to see for yourself why your code is not secure. Just play around with single quotes in $_POST['message'], and you'll see database errors that can leak information about your database. Here is another link on how to do it properly: http://php.net/manual/en/pdo.prepare.php — jh1711, May 11 '18 at 21:15
As a first step, consult the OWASP (Open Web Application Security Project) ... LMGTFY https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet — spencer7593, May 11 '18 at 21:31
Thanks for your help and suggestions. I've gone hours trying to work around this. Every prepared statement I've tried to implement doesn't work. I've read that cheat sheet a few times, just not sure how to apply it to my specific case. — timo.design, May 11 '18 at 21:38
`bind_param` is the `mysqli` method. A quick trip to the [PDO documentation](http://php.net/manual/en/pdo.prepared-statements.php) shows you the correct way, which is either `bindParam` or using named placeholders like `:message` and then `execute([ 'message' => $_POST['message'] ])`. The first thing to do when encountering errors like this is to check the documentation and ensure you're doing it correctly. We all make mistakes, and the best way to correct them is to go to the source material. — tadman, May 11 '18 at 21:54

How can I secure my feedback form from sql injection?

0 Answers0