Jump to content

scotty86

Members
  • Posts

    8
  • Joined

  • Last visited

scotty86's Achievements

Newbie

Newbie (1/7)

0

Reputation

  1. I'm totally with you. I'm not saying this signs should be escaped by this functions, but it should be mentioned in the documentation of this functions. Since it can lead to unwanted behavior/vulnerabilities. If I read "function escapes special characters in a string", I assume they are bulletproof against any special character.
  2. Hello, concerning pages: https://www.w3schools.com/php/func_mysqli_real_escape_string.asp https://www.w3schools.com/php/php_mysql_prepared_statements.asp Just dived a bit deeper into real_escape_string/prepared statements and was a bit shocked. real_escape_string does not escape the percentage-sign (%) and underscores (_). This is neither mentioned in the php documentation nor within the w3school pages. This could cause vulnerabilities or unwanted behavior. A very simplified example (never do this!): $username = $mysqli_connection->real_escape_string($_POST["username"]); // $_POST["username"] = "%" $mysqli_connection->query("SELECT * FROM creditcards WHERE username LIKE '{$username}'"); Greetz scotty86
  3. wow, I'm using w3school since ages, I never saw this button and I needed Ctrl+F to find it right now. This ol' man needs glasses. 👓
  4. *Off-Topic* Ok, I'll try share my retardness. I went to the forum, to share my suggestion. I saw a "Start new topic" button and pressed it. I saw two textboxes (marked as required) and a recaptcha and a textarea I read email and title... And here comes the wrong assumption: I thought title is meant to be my nickname, since I assumed, that I first have to create an user account (typically a nickname and an email-address) and that the textarea should help me to write my topic already, before forgetting my thought. Maybe for knuckleheads like me, it would be better to have the inputs sorted: nickname, email address, captcha, title, tags, textarea. Or you automatically ban email addresses of people having the title and their nickname the same. 😉
  5. Hello, https://www.w3schools.com/php/php_mysql_prepared_statements.asp says That's true, but it might worth mentioning, that setting a charset (e.g. $conn->set_charset("utf8")) is important, since it can make prepared statements vulnerable to injections. For an example injection and explanation take a look here: https://stackoverflow.com/a/12202218/1988569 Stay safe, scotty86
  6. Hello, I might have found a little mistake here: https://www.w3schools.com/php/func_string_htmlentities.asp You state: ENT_QUOTES - Encodes double and single quotes Which is correct. But in the examples it says: <?php $str = "My name is Øyvind Åsane. I'm Norwegian."; echo htmlentities($str, ENT_QUOTES, "UTF-8"); // Will only convert double quotes (not single quotes), and uses the character-set Western European ?> ENT_QUOTES must be replaced by ENT_COMPAT? Greetz, scotty86
  7. Sorry, have not paid enough attention and messed up the topic 😇 I couldn't find a option to edit it. Please update it to something like "PHP Forms - Validate URL"
  8. Hello, first things first: Thank you for your awesome work! I came across following site: https://www.w3schools.com/php/php_form_url_email.asp You are validating the URL by regex, that's good way to learn a bit about this expressions. But PHP offers also a filter for validating URLs. if (!filter_var($url, FILTER_VALIDATE_URL)) { $urlErr = "Invalid url format"; } Might be worth mentioning. Have a nice day and stay healthy, scotty86
×
×
  • Create New...