-1

Hi all,

I'll be working on a project that basically takes a UID and displays basic user info like courses taken. Seems simple, but I'd like to read suggestions as to how to best tackle this. I would like to protect against possible XSS attacks and SQL injections. Any suggestions? I have the option of developing in a LAMP setup and a Windows Server 2012/MSSQL.

What I've thought so far, in the LAMP:

  • PHP page (e.g., main_page.php) that will read the GET value, escape any weird characters, and run query from an imported script file (e.g., require('my_db.inc');) .
  • PHP script, my_db.inc, that will contain database connection info and functions to execute queries.
  • The data returned to main_page.php will be displayed in a table.

Thanks in advance!

-Rudy.

Edited by RudyM: Clarity.

3
Contributors
3
Replies
30
Views
1 Year
Discussion Span
Last Post by jacks009
2

To defend against SQL injections make sure you're using prepare() for all of your database queries.

0

@hericles, how's something like:

<?PHP
  $servername = "localhost";
  $username = "db_user";
  $password = "password123";
  $dbname = "mydb";

  $conn = new PDO("mysql:host=$servername;dbname=$dbname",$username,$password);

  $lname = "%LEE%";

  $sql = $conn->prepare("select * from students where lname like ?");

  $sql->execute(array($lname));

  $res = $sql->fetchAll();

  foreach($res as $r)
  {
    print_r($r);
    echo "<BR><BR>";
  }

?>

Edited by RudyM: Directed at user

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.