What are some common pitfalls to avoid when setting up a PHP contact form?

One common pitfall to avoid when setting up a PHP contact form is not properly sanitizing user input to prevent SQL injection attacks. To solve this issue, always use prepared statements when interacting with your database to ensure that user input is properly escaped. 

// Connect to your database
$mysqli = new mysqli("localhost", "username", "password", "database");

// Prepare a SQL statement using a prepared statement
$stmt = $mysqli->prepare("INSERT INTO contacts (name, email, message) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $name, $email, $message);

// Sanitize user input
$name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$message = filter_var($_POST['message'], FILTER_SANITIZE_STRING);

// Execute the prepared statement
$stmt->execute();

// Close the statement and database connection
$stmt->close();
$mysqli->close();

Keywords

SQL injection form validation CSRF protection email configuration error handling

Related Questions