+ 1

Is it a security risk to run un-escaped user input through a loop condition?

I want to check if the user's used special characters in a form field or not. I've created some code to check this but I'm not sure if it leaves the database open to injections or whether this is just generally bad practice and there's just a much better way of doing this... https://code.sololearn.com/wgIdk6wgxD4W/?ref=app I'd prefer genuine solutions apposed to work-arounds if possible

24th Nov 2018, 4:11 PM
Jacob
5 Answers
+ 1
The answer is yes it is and the built in way to avoid doing this is stype_alnum($input) which returns true if the string only uses alpha-numeric characters
5th Dec 2018, 9:07 AM
Jacob
+ 2
Here's someone else's approach: Change the permissions associated with the user: https://stackoverflow.com/questions/14370670/which-characters-are-actually-capable-of-causing-sql-injection-in-mysql
24th Nov 2018, 10:00 PM
Jonathan Shiell
+ 1
Isaac Pace I did notice that. It's just because playground isn't connected to the mysqli_ api
25th Nov 2018, 2:41 AM
Jacob
0
At the moment you have an error in your sample code.
24th Nov 2018, 5:37 PM
Isaac Pace
Isaac Pace - avatar
0
Jonathan Shiell I'm not sure which part of the article you're referring to by "Change the permissions associated with the user" in relation to my question however, you've given me an idea that might work. Maybe I could use some AJAX to prevent the user from post submitting special characters in the first place...
25th Nov 2018, 2:48 AM
Jacob