i have the below code for form. At one time, when i went to my page i saw some data/link in my site. i guess a hacker entered some script in data field.

someone pls help me how i can protect my page.
<form name="myForm"
<input type="hidden" name="subject" value="Form Submission" />
<input type="hidden" name="redirect" value="thankyou.html" />

<BR><b>Submit request to add your business:</b> <script language="JavaScript">document.write(findersHTML('CATEGORY'));</script><br>
<p style="margin-top:10px;">

<div style="float:left;">
<b>First Name</b><br><input type="text" name="FNAME" class="textField1" MAXLENGTH = "15" style="width:200px;"><p style="margin-top:6px;">

<b>Last Name</b><br><input name="LNAME" type="text" class="textField1" MAXLENGTH = "15" style="width:200px;"><p style="margin-top:6px;">

<b>Phone No.</b><br><input name="Phone" type="number" class="textField1" MAXLENGTH = "12" style="width:100px;"><p style="margin-top:6px;">

<b>Email</b><br><input name="EMAIL" type="text" class="textField1" MAXLENGTH = "85" style="width:300px;">
<br /><br><b>Business Type:</b><br><input name="business" type="text" class="textField1" MAXLENGTH = "16" style="width:200px;">
<br />
<b>Business Street Address:</b><br><input name="Address" type="text" class="textField1" MAXLENGTH = "35" style="width:300px;">
<br/><b>Business City:</b><br><input name="Address" type="text" class="textField1" MAXLENGTH = "15" style="width:150px;">
<br/><b>Business State:</b><br><input name="Address" type="text" class="textField1" MAXLENGTH = "15"style="width:90px;">
<br/><b>Business ZipCode:</b><br><input name="Address" type="text" class="textField1" MAXLENGTH = "5" style="width:50px;">

<br><b>Your Message</b><br>
<textarea name="message1" wrap="physical" cols="28" rows="5"
<input readonly type="text" name="remLen1" size="3" maxlength="3" value="225">
characters left

<input type="Submit" name="Submit" value="Submit">


6 Years
Discussion Span
Last Post by diafol

Google for "sql injection". Protect your database (in gdform.php), not your form. You cannot do anything against malicious data coming in. But you can protect against processing it.


A person that entry some script in a form field is not a hacker. Besides the functions that PHP has (and mentioned above) acknowledge that many years know the standard way is prepared statements.

Some people out there (that I must say that they done a great job) implement all of that in PDO for PHP. It will take you a day or two understanding PDO and start using it but then you will look back at code written without it and it will look like it came out Stone Age.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.