0

The question refers to a simple Form using POST method to send data to the server.I am interested in some cases:

1] Data come from a Form Textbox

2] Data come from a Form Listbox

3] Data are used to enter new data in the database

4] Data are used in a query after WHERE to filter out results

Question 1: Is a query safe vs SQL Injections in all combination of the above cases? If not what can I do to make sure I did my best in keeping my code as secure as possible?

What makes me sceptical is that I included the $ComparisonB variable in the mysqli query, using prepared statements though.

Question 2: Assuming we sanitize $ComparisonB vs XSS using the following method:

function xssanitize($data,$encoding='UTF-8')
{
   return htmlspecialchars($data,ENT_QUOTES | ENT_HTML401,$encoding);
}

Is it sufficient or should I do something more?

I KNOW that "Security is a state of mind", but I would like to learn to do things as proper as possible.

George Eco
  • 466
  • 3
  • 16
  • 2
    no. your sanitize function is utterly useless for sql injection protection. html escaping has absolutely **NOTHING** to do with sql. it's like putting a bandaid on a bonfire. – Marc B Jun 30 '16 at 14:05
  • XSS is different question than the first. I want to check for both SQL injection AND XSS protection. They say that prepared statements are sufficient vs SQLinjection, is it true? – George Eco Jun 30 '16 at 14:06
  • Thanks for the link on the previous answered question. – George Eco Jun 30 '16 at 14:12

0 Answers0