Jump to content

Recommended Posts

Protecting a form field from what?

htmlspecialchars() is for use when outputting user-supplied data data to a web page.

mysql_real_escape string() is  was used to protect input values to queries from SQL injection. This is now obsolete, replaced by mysqli_real_escape_string() or (better still) the use of prepared statements to completely separate the query code from the user-supplied data.

Edited by Barand
  • Like 2
18 hours ago, Barand said:

Protecting a form field from what?

htmlspecialchars() is for use when outputting user-supplied data data to a web page.

mysql_real_escape string() is  was used to protect input values to queries from SQL injection. This is now obsolete, replaced by mysqli_real_escape_string() or (better still) the use of prepared statements to completely separate the query code from the user-supplied data.

Agree. Although I would say there is a case where "protecting a form field" is directly related to "outputting user-supplied data". When populating a form field value (e.g. when editing a record) it would be appropriate to escape the content in the value parameter. Not sure if that is what the OP is asking about since what is being asked doesn't exactly make sense.

The 2 things have nothing to do with each other, but I will say this about SQL Injections.  Forget about mysqli_real_escape_string or any attempt to escape anything, and use parameters.  Use parameters and bind the values. This eliminates the possibility of SQL Injections, because no interpolation is being done, and you also no longer have to care about escaping quotes or other characters special to SQL.  

https://www.php.net/htmlspecialchars is something you can use to combat XSS, or https://www.php.net/manual/en/filter.filters.sanitize.php.  

For XSS the best solution is to store the input in the DB as is, and then do your filtration/conversion when you are going to present the string on your site/within your application.

  • Like 1
  • 3 weeks later...
$keyword = $_GET['search'];
$search = $con->prepare("SELECT * FROM members WHERE name LIKE :keywword");
$search->bindValue(':keyword', '%' . $keyword . '%', PDO::PARAM_STR);
$search->execute();
				

or 


$keyword = mysqli_real_escape_string($con, $_GET['search']);
........
which is better for securing search input

and why uri  is 

http://localhost/member_app/results?search=<script>alert('hi')<%2Fscript> after submission

5 minutes ago, mahenda said:

which is better for securing search input

That has already been answered in the previous post...

On 8/2/2019 at 10:31 AM, gizmola said:

Forget about mysqli_real_escape_string or any attempt to escape anything, and use parameters.

 

The query string has been automatically url_encoded prior to submission.

19 minutes ago, Barand said:

That has already been answered in the previous post...

 

The query string has been automatically url_encoded prior to submission.

so it means this is secure

check what is happen when i'm trying searching

http://localhost/member_app/results?page=1&search=mahenda

i'm doubt with the number of page why is visible and how to hide them

Edited by mahenda
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.