Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>It's even more simple. Just <code>htmlspecialchars()</code> (with quote style and character set) on user-controlled input is enough. The <code>strip_tags()</code> is only useful if you already want to sanitize data prior to processing/save in database, which is often not used in real world. HTML code doesn't harm in PHP source, but PHP code may do so if you use <code>eval()</code> on non-sanitized user-controlled input or that kind of evil stuff.</p> <p>This however doesn't save you from <a href="http://en.wikipedia.org/wiki/SQL_injection" rel="nofollow noreferrer">SQL injections</a>, but that's another story.</p> <p><strong>Update</strong>: to get <em>clean</em> user input from the request to avoid <a href="http://en.wikipedia.org/wiki/Magic_quotes" rel="nofollow noreferrer">magic quotes</a> in user-controlled input, you can use the following function:</p> <pre><code>function get_string($array, $index, $default = null) { if (isset($array[$index]) &amp;&amp; strlen($value = trim($array[$index])) &gt; 0) { return get_magic_quotes_gpc() ? stripslashes($value) : $value; } else { return $default; } } </code></pre> <p>which can be used as:</p> <pre><code>$username = get_string($_POST, "username"); $password = get_string($_POST, "password"); </code></pre> <p>(you can do simliar for <code>get_number</code>, <code>get_boolean</code>, <code>get_array</code>, etc)</p> <p>To prepare the SQL query to avoid <a href="http://unixwiz.net/techtips/sql-injection.html" rel="nofollow noreferrer">SQL injections</a>, do:</p> <pre><code>$sql = sprintf( "SELECT id FROM user WHERE username = '%s' AND password = MD5('%s')", mysql_real_escape_string($user), mysql_real_escape_string($password) ); </code></pre> <p>To display user-controlled input to avoid XSS, do:</p> <pre><code>echo htmlspecialchars($data, ENT_QUOTES, 'UTF-8'); </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload