Answer the question
In order to leave comments, you need to log in
Does PDO help for protection?
I read the lessons on PDO and did this
$username="login";
$password="password";
$conn = new PDO('mysql:host=localhost;dbname=test_db;charset=utf8', $username, $password);
$pdo_updateText = $conn->prepare('UPDATE users SET text= :text WHERE email = :email');
$pdo_updateText ->execute(array(':text ' => htmlspecialchars($_GET['text ']),':email' => $_SESSION['email']));
<script> код prompt("92923") код</script>
Answer the question
In order to leave comments, you need to log in
PDO only protects against mysql injections, doesn't it?
In this case, this is not an SQL injection, but XSS (inserting the left HTML code inside the page). You need to protect yourself from XSS in other ways - replace symbols dangerous for HTML (triangle brackets) with HTML entities.
It seems to me that the problem here is not when entering data into the database, but when issuing it.
Somewhere htmlspecialchars_decode is triggered or something like that.
If you look at the database itself, is the data driven in with the worked out htmlspecialchars or how is it?
Such record in the DB?
Or like this?
Passing input through this function is an xss attack
function namefunction($data){
foreach($data as $key => $value){
if(is_array($value)) namefunction($value);
else $data[$key] = htmlspecialchars($value);
}
return $data;
}
AlikDex : in the answer to the question gave an exhaustive answer
you confuse base protection and XSS
read until you're blue in the face - phpfaq.ru/tech/safety
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question