If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; m...
Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(GetF...
Just looking at: (Source: https://xkcd.com/327/) What does this SQL do: Robert'); DROP TABLE STUDENTS; -- I know both ' and -- are for comments, but doesn't the word DROP get commented as well s...
It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. This question, Is “double hashing” a password l...
The eval function is a powerful and easy way to dynamically generate code, so what are the caveats?
Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of html tags?
Form-based authentication for websites We believe that Stack Overflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variati...
Possible Duplicates: How does the SQL injection from the "Bobby Tables" XKCD comic work? https://stackoverflow.com/search?q=sql+injection Can someone explain SQL injection? How ...
Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['usernam...
I am working on a project that has to have authentication (user name/pass) It also connects to a database so i figured i would store the user name and password there but it seems like not such a goo...