I have a PHP page with a form. The form has method="POST" and the action is another PHP file which inserts the values into MySQL. This all works properly.
My problem is that the 2nd PHP page which sends the info to the database contains the username, password, databasename and tablename where the info should go. I am concerned that someone could create their own PHP or HTML form and POST to MY 2nd PHP file and submit any values to my database.
I want to put the username, password, databasename and tablename on the 1st PHP page (with the form) and pass these as variables to the 2nd PHP form, thus eliminating the threat of someone else creating their own form and posting whatever they want. (If this is possible and the correct way to do it, can you suggest how to pass the variables?)
Is this the proper way to secure input to the database?
Don’t put databasename and tablename in the form. Put some meaningful value there, and on ther serverside code, select the appropriate table name and database.
For instance, add a select field that can take the values “bluepill” or “redpill”.
On receiving the POST data, choose the table “good_users” for bluepill and “evil_users” for redpill.
If the form is a registration form, you can think of other methods of verifying users, such as email link, captcha, etc.