+ 1
Is it a security risk to run un-escaped user input through a loop condition?
I want to check if the user's used special characters in a form field or not. I've created some code to check this but I'm not sure if it leaves the database open to injections or whether this is just generally bad practice and there's just a much better way of doing this... https://code.sololearn.com/wgIdk6wgxD4W/?ref=app I'd prefer genuine solutions apposed to work-arounds if possible
5 Answers
+ 1
The answer is yes it is and the built in way to avoid doing this is stype_alnum($input) which returns true if the string only uses alpha-numeric characters
+ 2
Here's someone else's approach: Change the permissions associated with the user: https://stackoverflow.com/questions/14370670/which-characters-are-actually-capable-of-causing-sql-injection-in-mysql
+ 1
Isaac Pace I did notice that. It's just because playground isn't connected to the mysqli_ api
0
At the moment you have an error in your sample code.
0
Jonathan Shiell I'm not sure which part of the article you're referring to by "Change the permissions associated with the user" in relation to my question however, you've given me an idea that might work. Maybe I could use some AJAX to prevent the user from post submitting special characters in the first place...