Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Do I need to use htmlspecialchars() before I send PHP Session into MySQL query?
Can some evil hacker create sessions on his machine with a dangerous SQL injection in it??
No.
You use
htmlspecialchars()before you put text into HTML. (Trusted HTML you put straight into HTML. Untrusted HTML you run through a whitelist). That is a defence against XSS.It is SQL injection that you have to worry about when putting data into an SQL query. Since session data contains only what you put into it in the first place, if you take any measures to defend against SQL injection, then they will depend on what data you put into the session.
As a rule of thumb, any variable being put into a query should be inserted using bound variables and not string concatenation.