Securing form inputs with PHP


Securing inputs in php forms is so important. Anyone can write their own scripts in the inputs, so it's important to avoid this.


Prepared statements are used specifically for SQL queries. I've written out an example of what prepared statements look like in PHP, along with notes on what each part means. Of course you make the connection to the database first, then the prepared statement is as follows: Image of a code example of a prepared statement for SQL

Using this technique ensures that the database understands the query structure first before it fills out the values.


Another technique is using the two functions: htmlspecialchars and stripslashes are great for preventing scripts being entered into form inputs.

The two functions: htmlspecialchars and stripslashes can be used to avoid scripts being put into form inputs, which can cause pop ups like this:

Image of a HTML pop up alert - avoid encouraging this to happen

In order to avoid an unwanted script passing through a form input (like above), the following code utilising htmlspecialchars and stripslashes can be used:

PHP code using specialchars and stripslashes in a form input