Is needed? I don't know too much (near to 'nothing', to be honest) about web security but I heard that SQL injection is only possible in input fields that are used to make SQL connections, like login forms for instance. Thing is: the only part where user can input data is the contact form; my website has no databases, no login system. Are hackers still able to somehow attack with a simple contact form? Right now, the only "filter" I'm using is server-side just before the mail is sent (in a PHP file that is called via ajax): strip-tags() function: PHP: $allowedTags='<p><strong><em><u><h1><h2><h3><h4><h5><h6><img><li><ol><ul><span><div><br><ins><del>'; $sanitized = strip_tags($formValues->message, $allowedTags); Would this be enough? Better to use plugins like HTML Purifier to be sure?