17th September 13, 12:50 PM
Join Date: Jan 2011
Re: need to secure a PHP feedback form
Alrite Ian, how's it going mate?
In SQL, you can use something called prepared statements.
Here is one I use to simply process a contact form:
There is no need to escape any data whatsoever because of the way prepared statements work. Just make sure when/if displaying any user input back to the client you use htmlspecialchars() in case they've attempted to insert some scripting.
$conn = new mysqli($host,$user,$pass,$db) or die("Error creating connection.");
$stmt = $conn->prepare("INSERT INTO enquiries (name,email,phone,user_comments,product_name,product_ref,product_comments,service_name,service_comments) VALUES (?,?,?,?,?,?,?,?,?)");
$row = $stmt->affected_rows;