[bgdam]

> that was secure and wouldn’t give me a headache, so number 3 was off as well.

Is having a backend controller that securely writes to a DB when a url is posted to that difficult in PHP, that this 'sane' way is preferred? Isn't it the most basic of CRUD setups?

I can understand doing this because n8n has a quick way to send emails (at least that's what I assume based on this article), but I really don't understand how this over engineered solution is supposed to be the sane way.

[dartos]

Security in php is a headache.

Many crud apps which separate the frontend and backend have form validation and sanitization on the frontend and backend (partly by virtue of converting raw input into escaped json strings), but IIRC isn’t as straightforward in php.

[echoangle]

Im not sure what’s so hard about doing it in PHP. Can I not just get all the data from the GET/POST-Data-Assocarray, get the form fields I want, and put them into a prepared statement to save them to the DB? What’s the vulnerability here? Maybe add an CSRF Token for extra security and I think you’re done, or am I missing something?

[omnimus]

You are not. Its same security any other stack would do.

This “PHP security is terrible” is mostly because people remember stories from 20 year ago (when none of the cool stacks didnt even exist) and things like Worpdress the most targeted cms/framework in the world.

I have suspicion that if Vercel/next powered 60% of web than its security reputation wouldnt be great either.

PHP is flawed but so are all the other stacks. PHP is old but that doesnt mean its not being updated or up to date. If anything its boring.

[kugelblitz]

Security in vanilla php using old tools is a headache.

I use Symfony and using the form component (https://symfony.com/doc/current/components/form.html) you can achieve much of what is needed.

If you use the framework as well (which is very modular nowadays) you also have security built-in (https://symfony.com/doc/current/forms.html).

But probably not as fast as a "quick and loose" approach if you don't know Symfony yet, but extendible and secure (if you do know Symfony, it might be faster than the vanilla php approach, because you can avoid much of the "generic" code, the validators, the error handling, avoid SQL and XSS injection).

[pbowyer]

> Security in php is a headache.

It really isn't.

[theamk]

what are the possible security problems in this case (grab all form data and stuff to database)?

The only one I can think of is SQL injection, but that's trivial to fix with placeholders.