scotty86
-
Posts
8 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by scotty86
-
-
Hello,
concerning pages:
- https://www.w3schools.com/php/func_mysqli_real_escape_string.asp
- https://www.w3schools.com/php/php_mysql_prepared_statements.asp
Just dived a bit deeper into real_escape_string/prepared statements and was a bit shocked. real_escape_string does not escape the percentage-sign (%) and underscores (_). This is neither mentioned in the php documentation nor within the w3school pages. This could cause vulnerabilities or unwanted behavior.
A very simplified example (never do this!):
$username = $mysqli_connection->real_escape_string($_POST["username"]); // $_POST["username"] = "%" $mysqli_connection->query("SELECT * FROM creditcards WHERE username LIKE '{$username}'");
Greetz
scotty86 -
On 1/29/2020 at 1:15 AM, Ingolme said:
They don't. There's a "report error" link at the bottom of each page if it has something incorrect or incomplete.
wow, I'm using w3school since ages, I never saw this button and I needed Ctrl+F to find it right now.
This ol' man needs glasses. 👓
-
On 5/4/2020 at 7:05 PM, Ingolme said:
Surprisingly, we get people putting their usernames as a topic title quite frequently. I don't know why.
*Off-Topic*
Ok, I'll try share my retardness.
- I went to the forum, to share my suggestion.
- I saw a "Start new topic" button and pressed it.
- I saw two textboxes (marked as required) and a recaptcha and a textarea
- I read email and title...
-
And here comes the wrong assumption:
I thought title is meant to be my nickname, since I assumed, that I first have to create an user account (typically a nickname and an email-address) and that the textarea should help me to write my topic already, before forgetting my thought.
Maybe for knuckleheads like me, it would be better to have the inputs sorted: nickname, email address, captcha, title, tags, textarea.
Or you automatically ban email addresses of people having the title and their nickname the same. 😉
-
Hello,
https://www.w3schools.com/php/php_mysql_prepared_statements.asp says
QuotePrepared statements are very useful against SQL injections.
That's true, but it might worth mentioning, that setting a charset (e.g. $conn->set_charset("utf8")) is important, since it can make prepared statements vulnerable to injections.
For an example injection and explanation take a look here: https://stackoverflow.com/a/12202218/1988569
Stay safe,
scotty86 -
Hello,
I might have found a little mistake here: https://www.w3schools.com/php/func_string_htmlentities.asp
You state:
ENT_QUOTES - Encodes double and single quotesWhich is correct. But in the examples it says:
<?php
$str = "My name is Øyvind Åsane. I'm Norwegian.";
echo htmlentities($str, ENT_QUOTES, "UTF-8"); // Will only convert double quotes (not single quotes), and uses the character-set Western European
?>
ENT_QUOTES must be replaced by ENT_COMPAT?Greetz,
scotty86 -
Sorry, have not paid enough attention and messed up the topic 😇
I couldn't find a option to edit it. Please update it to something like "PHP Forms - Validate URL"
-
Hello,
first things first: Thank you for your awesome work!
I came across following site: https://www.w3schools.com/php/php_form_url_email.asp
You are validating the URL by regex, that's good way to learn a bit about this expressions. But PHP offers also a filter for validating URLs.
if (!filter_var($url, FILTER_VALIDATE_URL)) { $urlErr = "Invalid url format"; }
Might be worth mentioning.
Have a nice day and stay healthy,
scotty86
PHP mysqli real_escape_string() Function
in Suggestions
Posted
I'm totally with you. I'm not saying this signs should be escaped by this functions, but it should be mentioned in the documentation of this functions. Since it can lead to unwanted behavior/vulnerabilities. If I read "function escapes special characters in a string", I assume they are bulletproof against any special character.