Member Avatar

Hi all,

I'll be working on a project that basically takes a UID and displays basic user info like courses taken. Seems simple, but I'd like to read suggestions as to how to best tackle this. I would like to protect against possible XSS attacks and SQL injections. Any suggestions? I have the option of developing in a LAMP setup and a Windows Server 2012/MSSQL.

What I've thought so far, in the LAMP:

  • PHP page (e.g., main_page.php) that will read the GET value, escape any weird characters, and run query from an imported script file (e.g., require('');) .
  • PHP script,, that will contain database connection info and functions to execute queries.
  • The data returned to main_page.php will be displayed in a table.

Thanks in advance!


Recommended Answers

All 3 Replies

To defend against SQL injections make sure you're using prepare() for all of your database queries.

Member Avatar

@hericles, how's something like:

  $servername = "localhost";
  $username = "db_user";
  $password = "password123";
  $dbname = "mydb";

  $conn = new PDO("mysql:host=$servername;dbname=$dbname",$username,$password);

  $lname = "%LEE%";

  $sql = $conn->prepare("select * from students where lname like ?");


  $res = $sql->fetchAll();

  foreach($res as $r)
    echo "<BR><BR>";


technology depend on understand and use brief.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.