Wednesday, 19 July 2017

mysqli - When does user input from a PHP form become harmful?

Notice: I am using prepared statements in my real code, this is a general question.



If a user entered... Robert');DROP TABLE users;-- ... or something similar, when would the code drop my user table?





  1. At variable initiation?



$username = $_POST['username'];



  1. When the input is inserted into the table?




$sql = "INSERT INTO users (username) VALUES ($username);



  1. When the input is called from the database back into the website?



echo "$_GET['username']";



I want to know when/if I should be using functions like
mysqli_real_escape_string
or
htmlspecialchars



Any feedback/criticism is welcome. Thank you.

No comments:

Post a Comment

casting - Why wasn't Tobey Maguire in The Amazing Spider-Man? - Movies & TV

In the Spider-Man franchise, Tobey Maguire is an outstanding performer as a Spider-Man and also reprised his role in the sequels Spider-Man...