0

I have a simple PHP-HTML-CSS contact form which saves emails to a local email client's database (in my case, Roundcube's database, which is a standalone MySQL database, I think --- I haven't used the program yet). The data this simple form gathers is very trivial, things like name, email, phone number, etc. no sensitive data such as state ID number, bank account details, credit details, passwords etc. ; the form data is sent to me by PHP's mail() function.

With the years I have learned that saving emails on a local database (for example, the same database on which a website is being hosted) can be dangerous due to an attack named "database injection" (such as "SQL injection").

Is there a standard way to backendly prevent database injections on simple web forms?
What should one ensure not to do, or to do indeed, with a backend language so that after a form is submitted, it wouldn't reach the local email client's if it included even the simplest sentence in any common querying language?

I am not asking for any code example, instead HTML-PHP I could ask about, I don't know, XML-Node.JS (?) ; I ask about standard principles.

formprotector
  • 1
  • 1
  • 3
    From the perspective of the server a web form is nothing special - just yet another untrusted user input. Thus the general recommendations about preventing SQL injections also apply here. Does this answer your question? [Best practises for preventing SQL injection?](https://security.stackexchange.com/questions/1257/best-practises-for-preventing-sql-injection) – Steffen Ullrich Mar 24 '21 at 11:21
  • @SteffenUllrich I am having hard time answering; I found the question quite broad and the accepted answer mentioning much concepts I have never came across (as a humble webmaster which is by no means a data security expert). I think my question here is much narrower as it deals with simple contact forms (no bank details, no passwords, no "sensitive" data); only things like "name", "email", "telephone"... Perhaps I should edit to clarify just that. – formprotector Mar 24 '21 at 11:31
  • 1
    Actually, a "simple contact form" is not that simple. The idea behind SQL injection is that an SQL statement is created from untrusted user input - and this can be and very often actually is a "simple" web form. For a good description of concepts and how to defend see https://bobby-tables.com/ – Steffen Ullrich Mar 24 '21 at 11:35
  • Always validate user input data. When interacting with the database in the backend, never trust user provided information to concatenate the SQL statements, always use parameters instead. – bradbury9 Mar 24 '21 at 13:54

0 Answers0