Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I got a $_GET and users are able to send the $_GET string to the MySQL, so quick question:
Is this query:
mysql_query("SELECT XX FROM ZZ WHERE YY %LIKE% " . htmlspecialchars($_get['string']) . ";");
enough to be safe? or I should add something more than htmlspecialchars() to be safe?
Thank you in advance for all replies.
Unsafe.
Trivial example data that even shows htmlspecialchars doing “it’s thing” — it’s just the wrong “thing”.
Happy coding.
Solution: Use placeholders as per PDO or mysqli (or use
mysql_real_escape_stringif you wish to keep promoting outdated practices…)See Best way to stop SQL injection in PHP and Prevent injection SQL with PHP and Can SQL injection be prevented with just addslashes?