2

Notice: I am using prepared statements in my real code, this is a general question.

If a user entered... Robert');DROP TABLE users;-- ... or something similar, when would the code drop my user table?

  1. At variable initiation? 
$username = $_POST['username'];
  1. When the input is inserted into the table?
$sql = "INSERT INTO users (username) VALUES ($username);
  1. When the input is called from the database back into the website? 
echo "$_GET['username']";

I want to know when/if I should be using functions like mysqli_real_escape_string or htmlspecialchars

Any feedback/criticism is welcome. Thank you.

icy
  • 1,468
  • 3
  • 16
  • 36
Cole
  • 80
  • 6
  • 1
    Don't escape your data, always use prepared statements. https://bobby-tables.com/php – Jason K Jul 10 '19 at 19:17
  • 2
    Prepared statements is for data going into the database to prevent data manipulation, such as dropping tables, adding extra users, etc. htmlspecialchars is for data coming back out, to prevent XSS attacks. – aynber Jul 10 '19 at 19:19
  • Could you give an example for how this code should be written? – Cole Jul 11 '19 at 20:24

0 Answers0