Secure Form Input From Hacker Using PHP Javascript

Belajar Online
Belajar Online
January 25, 2023


To secure input in PHP when inserting data into a database, you should use prepared statements with parameterized queries. This prevents SQL injection attacks by separating the data from the query and properly escaping any special characters in the input. Additionally, you should validate and sanitize user input to ensure that it is in the expected format and does not contain any malicious code. You can use built-in functions such as filter_var() or custom regular expressions to do this.

Here is an example of using prepared statements with parameterized queries to insert data into a MySQL database in PHP:

<?php
// Connect to the database
$db = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');
// Prepare the query
$stmt = $db->prepare("INSERT INTO users (name, email) VALUES (:name, :email)");
// Bind the parameters
$stmt->bindParam(':name', $name);
$stmt->bindParam(':email', $email);
// Set the values
$name = "John Smith";
$email = "john.smith@example.com";
// Execute the query
$stmt->execute();
?>

Note that in the above example, the values for the name and email fields are set separately from the query and are passed in as parameters. This prevents any malicious input from modifying the query itself and causing an SQL injection attack.


You can validate and sanitize user input before insert into database, example :


$name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);

This will ensure that the name variable only contains valid string characters and the email variable is a properly formatted email address.

While it's important to secure the server-side code that handles user input, it's also important to validate and sanitize user input on the client-side using JavaScript. This can help prevent malicious input from being sent to the server in the first place, reducing the risk of a successful attack.


Here is an example of validating and sanitizing user input using JavaScript:

// Get the form element
var form = document.getElementById("myForm");
// Add a submit event listener to the form
form.addEventListener("submit", function(event) {
    event.preventDefault(); // prevent form from submitting
    // Get the input elements
    var name = document.getElementById("name").value;
    var email = document.getElementById("email").value;
    // Validate the name
    if (!name || name.length < 3) {
        alert("Please enter a valid name with at least 3 characters.");
        return;
    }
    // Validate the email
    if (!email || !email.match(/^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$/)) {
        alert("Please enter a valid email address.");
        return;
    }
    // Sanitize the name and email
    name = name.replace(/[^a-zA-Z0-9 ]/g, "");
    email = email.replace(/[^a-zA-Z0-9@._-]/g, "");
    // Send the data to the server
    // ...
});

In this example, the form's submit event is intercepted and the form is prevented from submitting until the input has been validated and sanitized. The name input is checked to ensure that it contains at least 3 characters, and the email input is checked to ensure that it matches a specific regular expression for a valid email address.

It's also a good practice to use HTTPS (HTTP Secure) protocol to secure data in transit between client and server.

Note that while client-side validation and sanitization can help improve security, it should not be relied on as the sole means of protecting against malicious input. It is still important to validate and sanitize on the server-side as well.