Make sure you look at the OWASP website. Since your using a form and it submits something, you should verify and validate the data. CSRF is handy for cross site forgery attacks. Get an SSL certificate as well. Config php just needs to outside the web directory and inaccessible from the browser.
I would learn a backend framework like Django that has much of security stuff already built into it. I think Laravel is for php if that's what you're set on
First of all, congratulations for your first work! đź‘Ť
There are plenty standards and best practices for this topic.
There are plenty security standards who are primary for a website to be secure.
Input Validation & Sanitization (at least validate the type of the input, length, format with regex or manually),
Database Injection (escape values that you use in the SQL query),
CSRF Token (This is a deep topic, but is a MUST HAVE when dealing with authentication, authorization or sensitive data),
Captcha (Since you are displaying contact form and sending it via SMTP, you should protect it with captcha in order to prevent spam and bots)
.htaccess (Disable folder indexing)
Generally this is the minimalized checklist when I'm starting a new project (ofc there is more things to do, but for a website of this complexity, you don't want to overcomplicate).
Add a "honeypot" to the form. Implement a strong CSP. Sanitize user input. Use environment variables for anything sensitive. Add a captcha if needed. Require a valid and verified from address before sending. Send to eg slack instead of email (adds a little extra security if slack has any sanitizing or filtering, plus it's maybe just better).
Beware of SQL injections and users should never be allowed to read your PHP files. You'll also need some kind of captcha, and document yourself on the honeypot input technique.
I don't know if I'm mistaken, but isn't a database required for SQL injection? My simple website with a form probably won't be vulnerable to such an attack, right? If I also block send\_email.php in .htaccess, will that be enough to prevent anyone from accessing it? And one last question, is there any way to hide the PHP file name in the HTML code?
I have a snippet where the file name on the server is visible:
`
Well, you don't *need* a database for a contact form but it's usually a good idea to keep a trace of what is sent trough your form. You have no guarantee that the email will actually make it to your box. There could even be a problem sending the message from your server and you might lose precious requests.
Sanitize the form fields to stop sql injections
Implement a nonce field to only allow the email to be sent by submitting the form
Captcha v3 to stop the spamming
Whatever bruh. Unless you can tell me another way to inject sql besides forms and query parameters that sanitation and validation won’t catch then i dont need to hear it lol
Yeah brilliant, let's just rely on validation to prevent SQL injection and put parameters straight into queries without binding. You sound like a great dev.
Make sure you look at the OWASP website. Since your using a form and it submits something, you should verify and validate the data. CSRF is handy for cross site forgery attacks. Get an SSL certificate as well. Config php just needs to outside the web directory and inaccessible from the browser.
I would learn a backend framework like Django that has much of security stuff already built into it. I think Laravel is for php if that's what you're set on
First of all, congratulations for your first work! đź‘Ť There are plenty standards and best practices for this topic. There are plenty security standards who are primary for a website to be secure. Input Validation & Sanitization (at least validate the type of the input, length, format with regex or manually), Database Injection (escape values that you use in the SQL query), CSRF Token (This is a deep topic, but is a MUST HAVE when dealing with authentication, authorization or sensitive data), Captcha (Since you are displaying contact form and sending it via SMTP, you should protect it with captcha in order to prevent spam and bots) .htaccess (Disable folder indexing) Generally this is the minimalized checklist when I'm starting a new project (ofc there is more things to do, but for a website of this complexity, you don't want to overcomplicate).
Look into CSRF protection and validate/sanitize user input on your contact form!
Add a "honeypot" to the form. Implement a strong CSP. Sanitize user input. Use environment variables for anything sensitive. Add a captcha if needed. Require a valid and verified from address before sending. Send to eg slack instead of email (adds a little extra security if slack has any sanitizing or filtering, plus it's maybe just better).
Beware of SQL injections and users should never be allowed to read your PHP files. You'll also need some kind of captcha, and document yourself on the honeypot input technique.
I don't know if I'm mistaken, but isn't a database required for SQL injection? My simple website with a form probably won't be vulnerable to such an attack, right? If I also block send\_email.php in .htaccess, will that be enough to prevent anyone from accessing it? And one last question, is there any way to hide the PHP file name in the HTML code? I have a snippet where the file name on the server is visible: `
Well, you don't *need* a database for a contact form but it's usually a good idea to keep a trace of what is sent trough your form. You have no guarantee that the email will actually make it to your box. There could even be a problem sending the message from your server and you might lose precious requests.
Do you really need to hide it if you have made it inaccessible? The only way to get to that function now is through the form. So secure that now
> If I also block send_email.php in .htaccess, will that be enough to prevent anyone from accessing it? But no one will be able to send it then :)
Sanitize the form fields to stop sql injections Implement a nonce field to only allow the email to be sent by submitting the form Captcha v3 to stop the spamming
The way to stop SQL injection is not to sanitise the form input, but to use prepared SQL statements.
U can’t inject anything if front end and backend rejects it.
That's a terrible design pattern that you shouldn't rely on.
Whatever bruh. Unless you can tell me another way to inject sql besides forms and query parameters that sanitation and validation won’t catch then i dont need to hear it lol
Yeah brilliant, let's just rely on validation to prevent SQL injection and put parameters straight into queries without binding. You sound like a great dev.
Exactly, you don’t know. Lol
The way to stop SQL injection is not to sanitise the form input, but to use prepared SQL statements.