Search box injection '>"

Asked Apr 19 '23 at 18:01

Active Apr 19 '23 at 20:13

Viewed 97 times

Apologies in advance, kinda a noob at this:

I wrote a search function for my site and I've noticed some peculiar searches:

'>"<svg/onload=confirm('search')>

and

'nvOpzp; AND 1=1 OR (<'">iKO)),

from what I gather these are injection attempts. I send my search box contents to the server via an ajax call. The mysql database is then searched via php's prepared mysqli statements. a formatted HTML string is returned to the user. I don't expose any database information (db name, tables, cols, etc) in the javascript.

Is there any chance something malicious was injected?
Is there any way to tell if something was injected? (nothing looks off in my database)
Am I protecting myself enough with prepared statements?

asked Apr 19 '23 at 18:01

BrettOC

Prepared statements protects against sql injection if you use them correctly. Html-encoding should be used when outputting any of this back into a web page, to guard against xss. We obviously can't see the relevant code, only your description of it, so it's very difficult to assess. – ADyson Apr 19 '23 at 18:48

Search box injection '>"

0 Answers0