Php-MySql Security approach while INSERT’ing INTO MySql & fetching from MySql to screen -

-

my approach while insert’ing mysql

i think read in stackoverflow.com “if need escaping or similar action, in time need” in verification pages verify user inputs (null or not check, length check , structural checks (eg: mail structure, custom tags structures); use $_post[''] variables inputs. during verifications, in custom error printing parts, error messages not include of $_post[''] values in message texts.

interim note: utilize prepared statements , parameterized queries during php-mysql interactions. if inputs verified; before insert’ing mysql, strip tags input since don’t allow html tags other custom structured tags. (for example **bold text** === <strong>bold text</strong>) insert user input mysql db.

my approach while fetching mysql & printing output screen

i apply htmlspecialchars() command print out screen mysql db

my question

i not sure of myself. there obvious or hidden weakness in approach? in advance php gurus’ valuable comments. br

update

i won't strip tags during insert mysql db. reasons, please refer comments of Álvarog.vicario below. br.

the discussion far has been protecting sql injection , persistent cross site scripting. sounds you're on right track.

  • your use of prepared statements "best practice" combat sql injection.
  • htmlspecialchars() start prevent xss, have escape data in encoding scheme appropriate outputting data. owasp has comprehensive page discusses this: xss (cross site scripting) prevention cheat sheet. short answer: ensure using "the escape syntax part of html document you're putting untrusted data into."

Comments

Post a Comment

Popular posts from this blog

Delphi XE2 Indy10 udp client-server interchange using SendBuffer-ReceiveBuffer -

-
i use delphi xe2 , indy10 udp protocol. can't receive server echo on client side if use receivebuffer method. got "socket error # 10040" although send small echo message server client. console application illustrate problem below. in advance. program project1; {$apptype console} {$r *.res} uses system.sysutils, idglobal, idbasecomponent, idcomponent, idsockethandle, idudpclient, idudpserver, idudpbase, idstack; type tudp_serv = class(tidudpserver) procedure udpsvudpread(athread: tidudplistenerthread; adata: tidbytes; abinding: tidsockethandle); end; var udpserver: tudp_serv; udpcl: tidudpclient; bsnd, brcv: tbytes; s: string; k: integer; //============================================================================== procedure tudp_serv.udpsvudpread(athread: tidudplistenerthread; adata: tidbytes; abinding: tidsockethandle); begin writeln(' server read: ' + tohex(adata, length(adata))); abinding sendto(peerip, peerport, adat...
Read more

Qt ActiveX WMI QAxBase::dynamicCallHelper: ItemIndex(int): No such property in -

-
i new windows programming. here goes code objiwbemlocator = new qaxobject("wbemscripting.swbemlocator"); objwmiservice = objiwbemlocator->querysubobject("connectserver(qstring&,qstring&)",qstring("."),qstring("root\\cimv2")); qaxobject* returnlist = objwmiservice->querysubobject("execquery(qstring&)", qstring("select * %1").arg(domain)); qaxobject* result = returnlist->querysubobject("itemindex(int)", 0); i getting error on runtime qt activex wmi qaxbase::dynamiccallhelper: itemindex(int): no such property in but itemindex method exists msdn says the itemindex method not work collections not contain swbemobjects, such swbemmethodset, swbemnamedvalueset, swbemprivilegeset, swbempropertyset, , swbemqualifierset. what selecting ? have tried iterating on collection ? plus need minimum windows vista itemindex method. hope helps
Read more

Enable autocomplete or intellisense in Atom editor for PHP -

-
i'm first time user of atom editor php code. atom can autocomplete built-in functions of php. possible make editor autocomplete custom function written in separate file? function.php <?php function printsomething() { echo "hello world"; } index.php <?php require_once "function.php"; printsomething(); // autocompleted atom editor while typing thanks in advance. there text file in %userprofile%.atom called snippets.cson. in there can add snippet. more this: http://flight-manual.atom.io/using-atom/sections/snippets/ but need think can use later on other files well. otherwise need copy , paste.
Read more