All Questions

2783
votes
28answers
1306724 views

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; m...
443
votes
5answers
174198 views

SQL injection that gets around mysql_real_escape_string()

Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(GetF...
939
votes
12answers
144594 views

How does the SQL injection from the "Bobby Tables" XKCD comic work?

Just looking at: (Source: https://xkcd.com/327/) What does this SQL do: Robert'); DROP TABLE STUDENTS; -- I know both ' and -- are for comments, but doesn't the word DROP get commented as well s...
929
votes
15answers
407683 views

What's the best method for sanitizing user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of html tags?
69
votes
13answers
29526 views

What is SQL injection?

Possible Duplicates: How does the SQL injection from the "Bobby Tables" XKCD comic work? https://stackoverflow.com/search?q=sql+injection Can someone explain SQL injection? How ...
510
votes
6answers
154788 views

Are PDO prepared statements sufficient to prevent SQL injection?

Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['usernam...
68
votes
7answers
86804 views

Why do we always prefer using parameters in SQL statements?

I am very new to working with databases. Now I can write SELECT, UPDATE, DELETE, and INSERT commands. But I have seen many forums where we prefer to write: SELECT empSalary from employee where salary...
112
votes
9answers
65401 views

How can prepared statements protect from SQL injection attacks?

How do prepared statements help us prevent SQL injection attacks? Wikipedia says: Prepared statements are resilient against SQL injection, because parameter values, which are transmitted later ...
60
votes
5answers
2360 views

Reference: What is a perfect code sample using the MySQL extension?

This is to create a community learning resource. The goal is to have examples of good code that do not repeat the awful mistakes that can so often be found in copy/pasted PHP code. I have requested...
16
votes
6answers
7299 views

In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

I am working on a form with the possiblity for the user to use illegal/special characters in the string that is to be submitted to the database. I want to escape/negate these characters in the string ...

Previous Next