i have the below code for form. At one time, when i went to my page i saw some data/link in my site. i guess a hacker entered some script in data field.

someone pls help me how i can protect my page.
<form name="myForm"
<input type="hidden" name="subject" value="Form Submission" />
<input type="hidden" name="redirect" value="thankyou.html" />

<BR><b>Submit request to add your business:</b> <script language="JavaScript">document.write(findersHTML('CATEGORY'));</script><br>
<p style="margin-top:10px;">

<div style="float:left;">
<b>First Name</b><br><input type="text" name="FNAME" class="textField1" MAXLENGTH = "15" style="width:200px;"><p style="margin-top:6px;">

<b>Last Name</b><br><input name="LNAME" type="text" class="textField1" MAXLENGTH = "15" style="width:200px;"><p style="margin-top:6px;">

<b>Phone No.</b><br><input name="Phone" type="number" class="textField1" MAXLENGTH = "12" style="width:100px;"><p style="margin-top:6px;">

<b>Email</b><br><input name="EMAIL" type="text" class="textField1" MAXLENGTH = "85" style="width:300px;">
<br /><br><b>Business Type:</b><br><input name="business" type="text" class="textField1" MAXLENGTH = "16" style="width:200px;">
<br />
<b>Business Street Address:</b><br><input name="Address" type="text" class="textField1" MAXLENGTH = "35" style="width:300px;">
<br/><b>Business City:</b><br><input name="Address" type="text" class="textField1" MAXLENGTH = "15" style="width:150px;">
<br/><b>Business State:</b><br><input name="Address" type="text" class="textField1" MAXLENGTH = "15"style="width:90px;">
<br/><b>Business ZipCode:</b><br><input name="Address" type="text" class="textField1" MAXLENGTH = "5" style="width:50px;">

<br><b>Your Message</b><br>
<textarea name="message1" wrap="physical" cols="28" rows="5"
<input readonly type="text" name="remLen1" size="3" maxlength="3" value="225">
characters left

<input type="Submit" name="Submit" value="Submit">


Google for "sql injection". Protect your database (in gdform.php), not your form. You cannot do anything against malicious data coming in. But you can protect against processing it.

Member Avatar

mysql_real_escape_string() and html_entities(). Maybe strip_tags too.

A person that entry some script in a form field is not a hacker. Besides the functions that PHP has (and mentioned above) acknowledge that many years know the standard way is prepared statements.

Some people out there (that I must say that they done a great job) implement all of that in PDO for PHP. It will take you a day or two understanding PDO and start using it but then you will look back at code written without it and it will look like it came out Stone Age.

Member Avatar

PDO is useful, I admit.