PHP protcetion help


I need help to protect my code from mysqli injection and


special characters.
$wiadomosc=filter_var($_POST[‘wiadomosc’], FILTER_SANITIZE_STRING); and every special character will be removed, but now my question is is this code protect me from mysqli injection such as a “DROP TABLE” ? I don’t want anyone to destroy everyhing. Can you tell me how to protect simple mail form and form where data is added to DB?
Thank you guys.

p.s I hvae no registration info or login form


Use PDO or Mysqli and prepared/parameterized queries to protect against sql injection hacks. Do not sanitize/escape (aka mangle) data

For email just use a service like mailgun and youre ok


ok you gave me a hint so I will check online how to do this. I need to do this ASAP . One more question , why when I do the form validation after pressing button “submit” still sending even if the input is empty.


How do you do the form validation?

Do you mean that the page with the form submits/reloads or that the email sends? need your code either way



if($name=" "){
echo “error message”;


You need to add the full code for what you’re doing and explain how it isn’t working as exptected.


$server= “localhost”;
$database= “”;
$username= “”;
$password= “”;

$connection=mysqli_connect($server, $username, $password, $database);
echo " connection failed". mysqli_connect_error();
} else{
$firma=filter_var($_POST[‘firma’], FILTER_SANITIZE_STRING);
$polecam=filter_var($_POST[‘polecam’], FILTER_SANITIZE_STRING);
$place=filter_var($_POST[‘place’], FILTER_SANITIZE_STRING);
if($name=" "){
echo “error message”;
$date = date(‘Y-m-d H:i:s’);
$sql=“INSERT INTO niepol (firma, niepolecam, place, data) VALUES (’$firma’, ‘$polecam’, ‘$place’, ‘$date’)”;

    if($final=mysqli_query($connection, $sql)){     
        echo "<h2>Dziekujemy</h2>";
        echo"<p>Twoja ogłoszenie zostało dodane i będzie widoczne automatycznie</p>";
    } else{
        echo "Ogłoszenie nie zostało dodane. Prosimy o kontakt z administratorem";



Please fix the formatting and use php tags when pasting code

$server = “localhost”;
$database = “”;
$username = “”;
$password = “”;
$connection = mysqli_connect($server, $username, $password, $database);
if (!$connection) {
echo " connection failed" . mysqli_connect_error();
} else {
if (isset($_POST[‘submit’])) {
$firma = filter_var($_POST[‘firma’], FILTER_SANITIZE_STRING);
$polecam = filter_var($_POST[‘polecam’], FILTER_SANITIZE_STRING);
$place = filter_var($_POST[‘place’], FILTER_SANITIZE_STRING);
if ($name = " ") {
echo “error message”;
$date = date(‘Y-m-d H:i:s’);
$sql = “INSERT INTO niepol (firma, niepolecam, place, data) VALUES (’$firma’, ‘$polecam’, ‘$place’, ‘$date’)”;
if ($final = mysqli_query($connection, $sql)) {
echo “


echo “

Twoja ogłoszenie zostało dodane i będzie widoczne automatycznie

} else {
echo “Ogłoszenie nie zostało dodane. Prosimy o kontakt z administratorem”;


I hope it will work. I know I’m messy person. In spare time I will clean my code. Thank you for your help.


ok tell me why $S_SESSION is not working? <?php start_session() ?> on both pages.
if ($name = " ") {

$_SESSION[‘error’]=“ssome message”;


and I wan to display this message where the form is so
echo $_SESSION[‘error’];


I just formatted the code and added it to the thread so people could actually read it. I didn’t change it in any way

If you use a proper editor/IDE then it will contain automatic tools to reformat your code so it’s structured properly.