All Questions

2783
votes
28answers
1306725 views

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; m...
443
votes
5answers
174198 views

SQL injection that gets around mysql_real_escape_string()

Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(GetF...
939
votes
12answers
144594 views

How does the SQL injection from the "Bobby Tables" XKCD comic work?

Just looking at: (Source: https://xkcd.com/327/) What does this SQL do: Robert'); DROP TABLE STUDENTS; -- I know both ' and -- are for comments, but doesn't the word DROP get commented as well s...
987
votes
14answers
177757 views

Secure hash and salt for PHP passwords

It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. This question, Is “double hashing” a password l...
447
votes
24answers
223186 views

Why is using the JavaScript eval function a bad idea?

The eval function is a powerful and easy way to dynamically generate code, so what are the caveats?
929
votes
15answers
407683 views

What's the best method for sanitizing user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of html tags?
4787
votes
12answers
516142 views

The definitive guide to form-based website authentication

Form-based authentication for websites We believe that Stack Overflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variati...
69
votes
13answers
29526 views

What is SQL injection?

Possible Duplicates: How does the SQL injection from the "Bobby Tables" XKCD comic work? https://stackoverflow.com/search?q=sql+injection Can someone explain SQL injection? How ...
510
votes
6answers
154788 views

Are PDO prepared statements sufficient to prevent SQL injection?

Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['usernam...
357
votes
8answers
215856 views

Best way to store password in database

I am working on a project that has to have authentication (user name/pass) It also connects to a database so i figured i would store the user name and password there but it seems like not such a goo...

Previous Next