So, A project I'm working on requires me to provide my clients with a form to put on their website.
When my clients' user fills and submit the form, the data is supposed to be inserted into my database.
Now, I can create a php file the client can use in form action with a database user with only INSERT privilege on one particular table, but that still leaves that table vulnerable to data stuffing with Database connection details.
So, how can I make sure that data is only inserted into the table via the form and not manually to prevent stuffing?
P.S. open to other suggestions on how to achieve this securely too, thanks.
You want to implement Cross-Site Request Forgery protection. See this: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
There is no such thing a "Manual insertion" as there are only HTTP requests. An user using a browser and an user using a automated tool are not distinguishable.
So what do you really want to do?
Restrict the number of insertions
Let your customer post to a PHP page of yours, something like http://example.org/insert.php where you can limit the rate of insertion.
This allows anyone to insert into your db. Never ever give raw access to your database.
Restrict the users who can insert
You should look into OAuth which is very simple and straightforward, or you can use asymmetric encryption for authentication (Basically like SSH do it).
Upon registration you give your customers a private API key that uniquely identify them and that is needed to access your API. You can optionally request them a list of (finite) domains they are going to access your API from.
Upon insertion you can check the API key for validation and identify your customer, performing any policy you want (including reverse querying the sender IP to match against registered domains, rate limiting, revoking, auditing, and so on).
One way or another, you should not give anyone access to your DB and you should force your customers to request insertion server side, otherwise you have to let anyone insert into your db in order for your service to be used.