E
E
Edward2016-09-01 01:44:32
PHP
Edward, 2016-09-01 01:44:32

Does PDO help for protection?

I read the lessons on PDO and did this

$username="login";
$password="password";
$conn = new PDO('mysql:host=localhost;dbname=test_db;charset=utf8', $username, $password);
$pdo_updateText = $conn->prepare('UPDATE users SET text= :text WHERE email = :email');
$pdo_updateText ->execute(array(':text '   => htmlspecialchars($_GET['text ']),':email' => $_SESSION['email']));

So some hacker appeared in the [email protected] database and started writing a js type script in the text field that is $_GET['text '] well, I have a page where I see all the texts from users, and I execute this js code. How so? PDO only protects against mysql injections, doesn't it? What is wrong in the code, can you help?
<script> код prompt("92923") код</script>

Answer the question

In order to leave comments, you need to log in

5 answer(s)
N
Nazar Mokrinsky, 2016-09-01
@nazarpc

PDO only protects against mysql injections, doesn't it?

Quite right. Prepared statements (not PDO) are used to safely insert data into the database. And if the data itself is not safe - this is a completely different issue and is solved by completely different tools.

S
SagePtr, 2016-09-01
@SagePtr

In this case, this is not an SQL injection, but XSS (inserting the left HTML code inside the page). You need to protect yourself from XSS in other ways - replace symbols dangerous for HTML (triangle brackets) with HTML entities.

A
Alyosha, 2016-09-01
@peredozo

It seems to me that the problem here is not when entering data into the database, but when issuing it.
Somewhere htmlspecialchars_decode is triggered or something like that.
If you look at the database itself, is the data driven in with the worked out htmlspecialchars or how is it?
Such record in the DB?
Or like this?

G
gomer1726, 2016-09-01
@gomer1726

Passing input through this function is an xss attack

function namefunction($data){
    foreach($data as $key => $value){
      if(is_array($value)) namefunction($value);
      else $data[$key] = htmlspecialchars($value);
    }
    return $data;
  }

T
trevoga_su, 2016-09-02
@trevoga_su

AlikDex : in the answer to the question gave an exhaustive answer
you confuse base protection and XSS
read until you're blue in the face - phpfaq.ru/tech/safety

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question