Is there a safe way to transfer data from a website form to MySQL in php?

Question

Alright, I have website which is hosted in a Apache FTP server. This website have a form, and when submitted I want the data from the form to be transferred to a MySQL Database.

Example of HTML form:

<form action="process.php" method="post">
    <input type="text" name="username" placeholder="Username">
    <input type="email" name="email" placeholder="Email">
    <input type="submit" value="Submit">
</form>

Example of php script:

<?php
$servername = "localhost";
$username = "db_user";
$password = "db_password";
$dbname = "your_database";

// Create a connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// Retrieve form data
$username = $_POST['username'];
$email = $_POST['email'];

// Insert data into the database
$sql = "INSERT INTO users (username, email) VALUES ('$username', '$email')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

// Close the connection
$conn->close();
?>

My problem is, what's happening in the action prop exactly? Is the client directly accessing the php script and executing it? or, The action prop just says to the server to execute this specific script and there's no risk it can be accessed by the client?

How am I sure this php file can't be accessed by the client?

My only problem is with the database credentials and the sql command.

Is there a 100% safe way to do this, or is this code already "safe" enough?

Additional info:

My website is in the folder public_html

An end user could view the source of your form and see that it's being sent to `process.php`. They could then send requests directly to it if they wanted to. Each request would execute the code in that PHP file. However, they could never view the contents of the php file without gaining remote access to your server. — outlaw, Aug 30 '23 at 13:04
`Is the client directly accessing the php script and executing it`...not really. They're sending a HTTP request to a URL, which happens to point to a PHP script. If the webserver is correctly configured, it will execute the PHP code, and send the _output of executing that script_ as the response back to the browser/client. The actual source code itself never leaves the server. — ADyson, Aug 30 '23 at 13:09
P.S. **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unparameterised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. — ADyson, Aug 30 '23 at 13:10
https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use that resource again. — ADyson, Aug 30 '23 at 13:10
And please bring your SQL error handling into the 21st century. Add `mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` before your `mysqli_connect()` (or `new mysqli()`) command, and this will ensure that errors with your SQL queries are reported correctly to PHP automatically. That way you don't need to clutter your script with repetitive code to keep checking errors after every mysqli command. And you should never be echoing error data deliberately - it can easily reveal sensitive info to attackers by accident. I guess you got all this code from some ancient, obsolete tutorial? — ADyson, Aug 30 '23 at 13:10
Nah, I got it from GPT hehe. But about error handling, and the SQL Injection, i'll be handling it correctly. Also thanks for the tips. My only issue was this one. I wanted to make sure that the contents of the php file can't be accessed by the client. That was my only problem and fear. Thanks for your patience! — MindYourBusiness, Aug 30 '23 at 13:17
GPT probably got it from some ancient, obsolete tutorial, then. Remember, it doesn't know how to program, it knows how to put words in the right order so they sound coherent / plausible in a sentence (or in a computer program, which is also a language of sorts). Its primary skill is having a nice conversation with you, a secondary skill is sometimes being able to create plausible-looking content based on what it has scraped from elsewhere. But as they say...garbage in, garbage out...and it often doesn't know the difference. — ADyson, Aug 30 '23 at 13:19
Have a read of https://theconversation.com/chatgpt-is-great-youre-just-using-it-wrong-198848 — ADyson, Aug 30 '23 at 13:20
Anyway yes, it's entirely safe from revealing your PHP source code, as long as your server is correctly set up before you deploy the code (see https://stackoverflow.com/questions/12142172/apache-shows-php-code-instead-of-executing-it) — ADyson, Aug 30 '23 at 13:21
Yeah, well said friend. GPT is basically your cellphone autocorrector tool. But really thanks for answering me, for real. It's just, that I'm used to programming in js, and using node.js servers to treat requests. I have never ever heard of php in my life, and started learning it recently. When I saw a file being sent to the action prop, in my head made sense that there could be a risk of the client accessing and viewing the contents of that file. — MindYourBusiness, Aug 30 '23 at 13:27
Well in that sense, it works no differently to how nodeJS would interact with a HTML form. The HTML form is submitted, the browser sends a HTTP request to a URL, the webserver picks up the request and processes it (whether that involves serving static content, sending it to nodeJS, sending it to PHP, sending it to python, or whatever). The scenario is basically identical, just with a different scripting language plugged into the webserver. It wouldn't reveal your nodeJS code either, for the same reason. — ADyson, Aug 30 '23 at 13:28
But, thank you for your piece wisdom, and I'll take care and write safe code, you can bet on that! And for sure, i'll be reading that article! — MindYourBusiness, Aug 30 '23 at 13:29

Is there a safe way to transfer data from a website form to MySQL in php?

0 Answers0