Hi all,

I'll be working on a project that basically takes a UID and displays basic user info like courses taken. Seems simple, but I'd like to read suggestions as to how to best tackle this. I would like to protect against possible XSS attacks and SQL injections. Any suggestions? I have the option of developing in a LAMP setup and a Windows Server 2012/MSSQL.

What I've thought so far, in the LAMP:

  • PHP page (e.g., main_page.php) that will read the GET value, escape any weird characters, and run query from an imported script file (e.g., require('my_db.inc');) .
  • PHP script, my_db.inc, that will contain database connection info and functions to execute queries.
  • The data returned to main_page.php will be displayed in a table.

Thanks in advance!


Edited by RudyM: Clarity.

2 Years
Discussion Span
Last Post by jacks009

To defend against SQL injections make sure you're using prepare() for all of your database queries.


@hericles, how's something like:

  $servername = "localhost";
  $username = "db_user";
  $password = "password123";
  $dbname = "mydb";

  $conn = new PDO("mysql:host=$servername;dbname=$dbname",$username,$password);

  $lname = "%LEE%";

  $sql = $conn->prepare("select * from students where lname like ?");


  $res = $sql->fetchAll();

  foreach($res as $r)
    echo "<BR><BR>";


Edited by RudyM: Directed at user

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.