Im building a simple yet robust small e commerce site

what i wanna know is:

is it more safe and secure to add the mysql commands such as select add update delete in the same html form

or create another php file for that as a process?


i have an add customer page

the file is add.php

and for me to add that into the database

i pass variables and do the insert in another file called:


is it a big deal?

can the be a possible security issue incase?

thank you!

mysql commands are within php script and not in the plain html so it is safe to have them in the same script as the form. The commands are not (should not be) exposed to the browser.

i mean the same php script where i put the form.

I would say it would be a concern.

Generally, you want to keep the front end as far away from the back (eg. your database) end as possible. Especially if it's for ecommerce where you could be handling some sensitive data on your site (but even just in general), I think keeping your front-end code for building forms and pages from touching your database is important.

TySkby, what threats do you have in mind for cases where html form and mysql commands are in the same script?