I'm working on a site where contents pages are handled with
mod_rewrite and I'm trying to make the URL managed with
mod_rewrite protected from
SQL injections with some char restriction, because users can create pages contents like this:
My doubts come when they insert something like:
I need to insert
' char because I can have names like this for example of famous architects, but I don't know if I can keep data safe and how prevent
SQL injections with this character.
Should I do something particular to prevent attacks?
PDO class in
PHP like this:
$architect = strip_tags (trim ($_REQUEST["architect"])); // pdo class etc.. $pdo_stmt->bindParam (":arch", $architect, PDO::PARAM_STR); // and the other code here...
Users can't create pages with these chars:
< > / \ * ? = should I ban
Or should I permit only one of
" chars or can I use them together and keep server safe?
$stmt->bindParam (and bindValue, and in general, prepared statements) are safe against SQL injection. All serious SB frameworks support a way of adding parameters to a query, and values added that way are sanitized. You should always do that and never insert
variables data coming from users (see comments) manually into an SQL query string.
That still leaves the question of XSS injections, which are easier to miss (though also less dangerous); to avoid them, make sure you always use
htmlspecialchars($var,ENT_QUOTES) (or urlencode, depending on the context).
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki