PHP5/PDO sql injection help?

[Freid001]

Hi, i'm new to php 5/PDO I just has a quick question about preventing sql injections. Will the following code below prevent sql injection, and cross site scripting attacks, if no please explain how I can prevent against this, if yes can you explain how this prevents these attacks?

 

function clean($data){ 

$data = stripslashes($data);

$data = strip_tags($data); 

return $data; 

} 

 

$newuser = clean ($_POST['username']);

 

$query = $db->prepare("UPDATE `accounts` SET username=:newuser WHERE account=:account");

$query->execute(array(':newuser'=>"$newuser",':account'=>$account));

[kicken]

You don't need (or want) to do stripslashes unless your PHP setup is configured with magic_quotes_gpc = on. You can check for that at runtime using get_magic_quotes_gpc. As for preventing cross-site scripting, all you need to do is use htmlentities on the input. I would prefer that over strip_tags. For SQL Injection, since you are using prepared statements with parameters for the values, you are fine on that end.

[Irate]

I'd like to point you to Google for this matter.

 

Some information on Client-side XSS (also called non-persistent XSS): https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet (this explains how to perform XSS attacks so guard yourself against these)

 

More Google results regarding this matter: http://www.veracode.com/security/xss

 

As for SQL Injections, as kicken said, MySQLi's stmt method works just fine to prevent injections by default. Doesn't hurt to additionally escape data, though.