Member Avatar
RudyM

Hi all,

I'll be working on a project that basically takes a UID and displays basic user info like courses taken. Seems simple, but I'd like to read suggestions as to how to best tackle this. I would like to protect against possible XSS attacks and SQL injections. Any suggestions? I have the option of developing in a LAMP setup and a Windows Server 2012/MSSQL.

What I've thought so far, in the LAMP:

  • PHP page (e.g., main_page.php) that will read the GET value, escape any weird characters, and run query from an imported script file (e.g., require('my_db.inc');) .
  • PHP script, my_db.inc, that will contain database connection info and functions to execute queries.
  • The data returned to main_page.php will be displayed in a table.

Thanks in advance!

-Rudy.

To defend against SQL injections make sure you're using prepare() for all of your database queries.

Member Avatar
RudyM

@hericles, how's something like:

<?PHP
  $servername = "localhost";
  $username = "db_user";
  $password = "password123";
  $dbname = "mydb";

  $conn = new PDO("mysql:host=$servername;dbname=$dbname",$username,$password);

  $lname = "%LEE%";

  $sql = $conn->prepare("select * from students where lname like ?");

  $sql->execute(array($lname));

  $res = $sql->fetchAll();

  foreach($res as $r)
  {
    print_r($r);
    echo "<BR><BR>";
  }

?>

technology depend on understand and use brief.