There is no contact form here on purpose. Classic web forms are one of the oldest ways to inject malicious input into back‑end systems. Instead, contact happens over email, where you can control what client you use and how you handle encryption.
A typical insecure form takes whatever you type and drops it straight into a SQL query. If the code does not escape or parameterise inputs, an attacker can make the input change the query itself instead of just filling in the blanks.
If user input is combined with the query this way, a crafted value can break out of the quotes and bolt new conditions or commands onto the end of the statement. That is the core idea behind SQL injection. Prepared statements and strict validation fix this, but many old contact forms were not written with that discipline.
Keeping only an email address here is a design choice: less code, less attack surface, fewer places for input to be mishandled. If you care about privacy, you can also choose your own email client, encryption keys and storage model.
‹ Back to websec.gr