hello everyone back with another problem
so i was using ezsql for parsing my database queries but found it is hack able pretty easily because it doesn't use prepared statements
here is demo code which give problems
so if is type in text area
it shows alert in browser also query is inserted in database
now it is fixable with pdo or mysqli prepared statements but i have some other questions
prepared statements are good for query update or delete stuff but when using count(*) its quite useless because have to count all rows after query every row from database
can anybody guide me what im doing wrong here ??
first i used that database class and i know real_escape_string is useless
second i want to use prepared statements but they are overloading for some stuff
what is good way to sanitize _POST data before inserting it into database ??
so i was using ezsql for parsing my database queries but found it is hack able pretty easily because it doesn't use prepared statements
here is demo code which give problems
PHP Code:
$message = isset($_POST['message']) ? $db->escape($_POST['message']) : "";
$db->query(insert message into database);
HTML Code:
<form> <textarea name="message"></textarea> <button>submit</button> </form>
HTML Code:
<script>alert('hacked');</script>
now it is fixable with pdo or mysqli prepared statements but i have some other questions
prepared statements are good for query update or delete stuff but when using count(*) its quite useless because have to count all rows after query every row from database
can anybody guide me what im doing wrong here ??
first i used that database class and i know real_escape_string is useless
second i want to use prepared statements but they are overloading for some stuff
what is good way to sanitize _POST data before inserting it into database ??
Comment