On Thu, 2016-07-21 at 23:04 -0400, Omega -1911 wrote: > On Thu, Jul 21, 2016 at 9:50 PM, Aziz Saleh <azizsaleh@xxxxxxxxx> wrote: > > > Prepared statements have nothing to do with htmlentities (probably since > > its an old code it was doing it wrong, should have been using > > mysql_real_escape_string). > > > > > That is NOT true. To rely on mysql_real_escape_string still leaves an open > window to attack: > http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string > > A simple regex (or so) to only allow approved characters would be better > practice. That would NOT be a better practice, as your regex would need to be unnecessarily complicated for all the characters you want to allow (and what about poor old Patrick O'Leary who you just prevented entry to your form because they have an apostrophe in their name that you forgot to include? https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/) Use prepared statements with PDO, they will protect you to the level you want. At this point anything is better than the mysql_* functions you appear to be using. htmlentities() is only for presentation to a browser when the content is HTML. It's very bad practice to use this on content before entering it into a DB, as that's modifying the content in a way that can't be easily undone (e.g. if the content already legitimately had encoded HTML in there.) Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
