You should never trust user input. Always validate data on the server side.

SQL injections

The first line of defense against injections is using prepared statements. If you use prepared statements for your queries, then it really doesn't matter what the user puts into your form, because you have already separated code from data. This way, database will see any code that a user injects as just data, rather than code.

CSRF / Cross-site Request Forgery

• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

Some ideas on protecting POST requests

https://perishablepress.com/protect-post-requests/

THINK ABOUT:

• protect form from blank submission
• do a data validation - on client side, on server side