Concerned about the security of my form

Hi there!

So I wanted to create a working form for my first solo project and the coding portion doesn’t seem to bad.

I found a nice article that walked me through creating a form with php.

But I am concerned about the security aspect of it.

I am still a beginner so I don’t know how to make my form completely secure against possible attacks.

Should I just go ahead and add my custom form to the site or just use a premade form?


Unfortunately there’s not a way to make something on the web “completely” secure.
Security is an ever evolving field, so there’s no real solution to cover all cases.

However in this case I would say that as long as you apply the “general” rules you’ will be fine:

  • sanitizing inputs
  • never store/transmit plain sensitive data
  • don’t accept code into your system that anyone can submit.

And if you want to go a step further limit the times one can send data in a period of time (like captcha.

1 Like

One of the first mistakes that comes to mind is relying on the client-side (the HTML+JS) to act as “security”. Anything on the client-side can be assumed to be compromised, so the back-end needs to re-check anything that is sent to it.

Your welcome to add extra validation to the client-side, so the user sees validation errors before sending it. But the back-end will always need to recheck as in-case the client is an “evil person” who removed all the validation in the first place.

Another thing to think about is due to the nature of security being everywhere, I usually recommend to focus on the bigger issues first, and focus on mitigating them. So something like preventing code injection is probably more important than protecting against DDOS attacks. Focusing on perfection isn’t the goal, just mitigation as much as possible so it makes it hard to hack/spam/ddos you.

Are you making a contact page or something? As mentioned above, something like Captcha is pretty useful to prevent robot spam.

1 Like

Yes I am building a site with a contact page. Right now there is just a google form on there but I wasn’t sure if I should create my own since I have never done it before. If this project was just a practice side project to learn than I wouldn’t be as worried about attacks. But since it is going to be an actual live site that I hope people will visit often I just want to be as careful as possible.

So for a contact page the biggest “threat” is primarily spam to you. End user’s generally aren’t exposed to much threat, as the contact page is sending data 1 way.

So even worse case scenario, you just might get a lot of random/ugly data, or open yourself up to an SQL injection attack that deletes all the data you collected data. Since the data is going 1 way your the only one that could lose out. Its bad, but not the worst possible outcome.

With that said, I’d focus on preventing spam using something like Captcha, and then verifying you can’t get attacked via an SQL injection attack.

1 Like

Security: It’s a vast topic. As a beginner you should write your back-end (nodejs or whatever server environment) so it’s paranoid about what it gets from the front end. For example,:

A common security threat comes from people who put malicious rubbish into the forms on your web apps. Sometimes they can get your server to misbehave, crash, or even spew out users’ confidential information with that rubbish.

Suppose your usernames are supposed to contain only letters, numbers, and underscores. If that’s the case check, ON THE SERVER, the usernames people give you. If they contain other characters, reject them. Whatever you do, DON’T use data that comes to you from your front end without checking it for validity.

And when you handle peoples’ names, always test your code with names like O'Brien with valid punctuation in them. If you do your checks wrong, they’ll mess up on names like that.

Here’s a famous cartoon about the subject. The kid’s school used a SQL database on the back end. DROP TABLE Students; is the SQL command to destroy the table containing information for each student. Tee hee.

1 Like