DEV Community

loading...

Discussion on: Create Contact Form in PHP 7 with jQuery Validation - Step by Step

Collapse
lito profile image
Lito

Remember NEVER NEVER NEVER execute queries with parameters into SQL string to avoid SQL INJECTION.

$sql = $connection->query("
    INSERT INTO contacts_list (name, email, phone, subject, message, sent_date)
    VALUES ('{$name}', '{$email}', '{$phone}', '{$subject}', '{$message}', NOW());
");
Enter fullscreen mode Exit fullscreen mode

MUST be executed as:

$connection->prepare('
    INSERT INTO contacts_list (name, email, phone, subject, message, sent_date)
    VALUES (:name, :email, :phone, :subject, :message, NOW());
')->execute([
    'name' => $name,
    'email' => $email,
    'phone' => $phone,
    'subject' => $subject,
    'message' => $message
]);
Enter fullscreen mode Exit fullscreen mode

or

$connection->prepare('
    INSERT INTO contacts_list (name, email, phone, subject, message, sent_date)
    VALUES (?, ?, ?, ?, ?, NOW());
')->execute([$name, $email, $phone, $subject, $message]);
Enter fullscreen mode Exit fullscreen mode