WordPress form validation

<form method="post" action="<?php echo get_template_directory_uri() ?>/abc.php">
First Name: <input type="text" name="firstname" pattern="^[A-Za-z]{2,20}"><br>
Last Name: <input type="text" name="lastname"   pattern="^[A-Za-z]{2,20}"><br>
E-mail: <input type="email" name="email"><br>
<input type="submit">

// Php handler “abc.php”

$servername = "omitted";
                    $username = “omitted";
                    $password = "omitted";
                    $dbname = "omitted";
                    $conn = new mysqli($servername, $username, $password, $dbname); 
                    if ($conn->connect_error) {
                        die("Connection failed: " . $conn->connect_error);
                    $sql = "INSERT INTO MyDB (firstname, lastname, email)
                        VALUES ('John', 'Doe', 'johnexample.com')";

                    if ($conn->query($sql) === TRUE) {
                        // echo "New record created successfully";

                    }   else {
                        echo "Error: " . $sql . "<br>" . $conn->error;


                    // Redirect browser 
                    header("Location: http://www.redirectedURL"); 


The preceding contact form is pasted inside a copy of my wordpress theme template with validations as included. The mysql username used for the SQL insert has “INSERT” privileges only. (I’m aware that if you say your name is K!ng T&t you’ll have to use the support@example.com email provided and I’m good with that).

What vulnerabilities have I missed ?

, , Dahere 2 years 2019-11-03T17:38:19-05:00 0 Answers 70 views 0

Leave an answer