Are there enough prepared requests and checks for spec. symbols for protection?

G

GoodPirojok2020-09-11 07:31:45

PHP

GoodPirojok, 2020-09-11 07:31:45

Hello!

If the server has prepared queries and htmlspecialchars.
Is this enough to be sure that nothing will happen to your database and users will not be able to get a malicious script from the database?

And what is the difference between a white sheet and prepared queries, and in general, is it needed if, in fact, a prepared query excludes the possibility of any manipulation with the database from the outside, which is not provided for by the developer's code?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

F

FanatPHP, 2020-09-11
@FanatPHP

Well, porridge.
- Prepared queries protect the data (i.e. numbers and strings) passed to the query. If your data is passed to all requests without exception through parameters, then you are protected
- a white sheet is needed in order to protect field names or keywords , if there will be a need to add them to the request dynamically
. That is, these two approaches protect different parts of the request, and together guarantee protection.
And html specialchars has nothing to do with the database at all.

C

cicatrix, 2020-09-11
@cicatrix

To protect against SQL injection, you need to make sure that the data from the client (namely, data, not user input, because nothing prevents the web request from being executed by abnormal methods) is never transferred to the server directly, but is always escaped. Values are never passed directly to the request, only through parameters.