i have a example.php and move it to public folder in laravel
example.php:
<html>
<body>
<form action="welcome.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>
and welcome.php:
<?php
$name = $_POST['name'];
$email = $_POST['email'];
echo "your name: ".$name;
echo "your email: ".$email;
?>
And result:
your name: John
your email: John@gmail.com
So. It is safe or dangerous? Thanks.
The way you have set your code out isn't how Laravel should be used.
For best usage of Laravel you need to put your form html into the views folder under its own file for example: form.blade.php.
You then need to make a new controller php artisan make:controller FormController
I'd also suggest making a Requests folder: php artisan make:request FormRequest
Within the requests you brand each of your required html name= fields for example:
public function rules()
{
return [
'name' => 'required',
'email' => 'required',
];
}
Within your routes file you'd then need to add:
Route::post('/link', 'FormController@submitForm');
Within your Controller you'd then do:
<?php
use \App\Http\Requests\FormRequest;
public function submitForm(FormRequest $formRequest)
{
// your logic would then go in here. Firstly fetch the request
$fetchData = $formRequest->get();
}
This is just the basic break down of what you should be doing. You'd obviously need to fill the logic in.
PS within the html as we have added requests to check if they've been filled you'd add something like:
@if ($errors->has('name'))
<span class="help-block">
<strong>{{ $errors->first('name') }}</strong>
</span>
@endif
I hope this gets you on to the right tracks of Laravel.
I'd also suggest taking a look at Laracasts as they have some great tutorials.
writing plain php files is surely more insecure than working with the framework MVC system from Laravel. Web spiders can track URLs and could possibly find your form and the action URL even if is inside the framework directory. There are tons of ways you could have problems with that form but the simplest one could be testing what happens when you send <script>alert();</script> as an input.
hope it helps
PS.
that depend very much on encoding, and sanitization, if you don't sanitize your input with anything, as I can see in that PHP file, you could use <script> as input, if you sanitize badly, maybe <scri<script>pt> could work... or <script> etc, etc... as security measure, you always need to know that the input is probably malicious, sanitizing is one of the things that frameworks do for you
One thing you must remember is that Laravel is MVC (Model-View-Controller) framework. What I see in this code is "Vanilla" PHP and Laravel is not really intended to be used that way.
The whole point here is that all the back-end processing should be done outside the public folder, namely, in Model and Controller components. Everything you put in public folder is risky because the public folder has chmod 777. This means that if you use risky functions in the source files in that folder, the hackers may be able to exploit them.