1

I have a site written in PHP utilizing PDO. I am using the bindParam() function to bind to a sql insert query:

("insert into Table (id, date, data) VALUES (?, ?, ?)")

but I am able to insert a string containing

"<script>window.location="google.com"</script>"

How to prevent this?

Thanks!!!

shamittomar
46.8k12 gold badges77 silver badges81 bronze badges
asked Sep 15, 2010 at 3:26

2 Answers 2

2

PDO is not going to stop you do that. You will need to yourself take care of the string:

  1. If you do not want <script> tags at all, use strip_tags
  2. If you want those tags but don't want them to execute, then use htmlentities
answered Sep 15, 2010 at 3:43
Sign up to request clarification or add additional context in comments.

Comments

0

Assuming you mean

<script>window.location="google.com"</script>

You should worry about injection protection on row display, as you don't want to fill up the database with HTML entities.

Use htmlspecialchars()[1] on pages that display what's on the database.

[1] http://www.php.net/manual/en/function.htmlspecialchars.php

answered Sep 15, 2010 at 3:31

2 Comments

What do you mean? Shouldn't I prevent these from going into the DB in the first place?
Well you can either filter on input to DB or filter on output to browser, just make sure you don't filter twice. My preference at the moment is to filter on output so as not to have the DB littered with HTML entities.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.