Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>It's a common misconception that user input can be filtered. PHP even has a (now deprecated) "feature", called magic-quotes, that builds on this idea. It's nonsense. Forget about filtering (Or cleaning, or whatever people call it).</p> <p>What you should do, to avoid problems, is quite simple: whenever you embed a string within foreign code, you must escape it, according to the rules of that language. For example, if you embed a string in some SQL targeting MySql, you must escape the string with MySql's function for this purpose (<code>mysqli_real_escape_string</code>). (Or, in case of databases, using prepared statements are a better approach, when possible)</p> <p>Another example is HTML: If you embed strings within HTML markup, you must escape it with <a href="http://php.net/manual/function.htmlspecialchars.php" rel="noreferrer"><code>htmlspecialchars</code></a>. This means that every single <code>echo</code> or <code>print</code> statement should use <code>htmlspecialchars</code>.</p> <p>A third example could be shell commands: If you are going to embed strings (Such as arguments) to external commands, and call them with <a href="http://php.net/manual/function.exec.php" rel="noreferrer"><code>exec</code></a>, then you must use <a href="http://php.net/manual/function.escapeshellcmd.php" rel="noreferrer"><code>escapeshellcmd</code></a> and <a href="http://php.net/manual/function.escapeshellarg.php" rel="noreferrer"><code>escapeshellarg</code></a>.</p> <p>And so on and so forth ...</p> <p>The <em>only</em> case where you need to actively filter data, is if you're accepting preformatted input. Eg. if you let your users post HTML markup, that you plan to display on the site. However, you should be wise to avoid this at all cost, since no matter how well you filter it, it will always be a potential security hole.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload