I have been using CodeIgniter, to make a data-entry form with following code.I am sending the as POST to the welcome controller's get_data method.
Can providing the the action in form like this be vulnerable?Is there any other method?
<form id='form' action="<?php echo base_url("welcome/get_data"); ?>" method="POST" style="display:inline;">
<div class="form-group">
<div class="col-md-6">
<label class="col-md-3">First Name :</label><input class="col-md-3" type="text" name='fname' ></input>
</div>
<div class="col-md-6">
<label class="col-md-3">Middle Name :</label><input class="col-md-3" type="text" name='mname' ></input>
</div>
</div>
<div class="form-horizontal">
<div class="col-md-6">
<label class="col-md-3">Last Name :</label><input class="col-md-3" type="text" name='lname' ></input>
</div>
<div class="col-md-6">
<label class="col-md-3">Mobile No. :</label><input class="col-md-3" type="text" name='Mno' ></input>
</div>
</div>
<div class="form-horizontal">
<div class="col-md-6">
<label class="col-md-3">Pin Code : </label><input class="col-md-3" type="text" name='Pcode' ></input>
</div>
<div class="col-md-6">
<label class="col-md-3">Country : </label><input class="col-md-3" type="text" name='Coun'></input>
</div>
</div>
<div class="form-group">
<div class="col-md-6">
<label class="col-md-3">State : </label><input class="col-md-3" type="text" name='St'></input>
</div>
<div class="col-md-6">
<label class="col-md-3">Email : </label><input class="col-md-3" type="text" name='email'></input><br>
</div>
</div><br>
<input class="class-md-3 col-md-offset-4" type="submit" value="Save"/>
</div>
</form>Also can I use $this->input>post() to directly insert data in database, is it Mysql injection proof?
</div>
you can use the form helper class, which contains lots of functions useful for working with forms
do escape your db queries and use the CI built in function $this->db->escape_str