6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"$10"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","php",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L11",null,{"href":"/discussion/tag/php/1","children":"php"}]}],["$","span","javascript",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L11",null,{"href":"/discussion/tag/javascript/1","children":"javascript"}]}],["$","span","pdo",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L11",null,{"href":"/discussion/tag/pdo/1","children":"pdo"}]}],["$","span","code-injection",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L11",null,{"href":"/discussion/tag/code-injection/1","children":"code-injection"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/814ce68aa0e40b8eb0f403b415e44292?s=256&d=identicon&r=PG&f=y&so-version=2","alt":"Andy Hin","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/396077/andy-hin","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Andy Hin"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",31913]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"PHP And PDO preventing Javascript injection"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

I have a site written in PHP utilizing PDO. I am using the bindParam() function to bind to a sql insert query:

\n\n

(\"insert into Table (id, date, data) VALUES (?, ?, ?)\")\n

\n\n

but I am able to insert a string containing

\n\n

\"<script>window.location=\"google.com\"</script>\"\n

\n\n

How to prevent this?

\n\n

Thanks!!!

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",1]}],["$","p",null,{"children":["Views: ",1481]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",2,")"]}],[["$","div","3714515",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/a2bb034a6b57e2d89cc32a6d6378a170?s=256&d=identicon&r=PG","alt":"shamittomar","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/180136/shamittomar","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"shamittomar"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",46692]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

PDO is not going to stop you do that. You will need to yourself take care of the string:

\n\n

If you do not want <script> tags at all, use strip_tags
If you want those tags but don't want them to execute, then use htmlentities

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",2]}]}]]}],["$","div","3714466",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/10db7c7f4ef21bf6360b824560f85bd0?s=256&d=identicon&r=PG","alt":"Andrew67","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/400663/andrew67","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Andrew67"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",357]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

Assuming you mean

\n\n

<script>window.location=\"google.com\"</script>\n

\n\n

You should worry about injection protection on row display, as you don't want to fill up the database with HTML entities.

\n\n

Use htmlspecialchars()[1] on pages that display what's on the database.

\n\n

[1] http://www.php.net/manual/en/function.htmlspecialchars.php

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",0]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","3295291",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/3295291","className":"text-blue-600 hover:underline","children":"Preventing JavaScript Injections in a PHP Web Application"}]}],["$","li","45359744",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/45359744","className":"text-blue-600 hover:underline","children":"Preventing JavaScript Injection"}]}],["$","li","44994974",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/44994974","className":"text-blue-600 hover:underline","children":"PHP / JAVASCRIPT / Mysql: Preventing javascript injections"}]}],["$","li","44937917",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/44937917","className":"text-blue-600 hover:underline","children":"How do you stop injection in this PHP/PDO"}]}],["$","li","10929047",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/10929047","className":"text-blue-600 hover:underline","children":"How to avoid mysql injections using PDO"}]}],["$","li","30573396",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/30573396","className":"text-blue-600 hover:underline","children":"How to prevent XSS attack (php/pdo)"}]}],["$","li","26499594",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/26499594","className":"text-blue-600 hover:underline","children":"PDO Prepared Statement allows javascript to be executed"}]}],["$","li","22267547",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/22267547","className":"text-blue-600 hover:underline","children":"Php & code injection"}]}],["$","li","18425463",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/18425463","className":"text-blue-600 hover:underline","children":"Prevent form injection with JavaScript?"}]}],["$","li","11805986",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/11805986","className":"text-blue-600 hover:underline","children":"pdo to prevent sql injection"}]}]]}]]}]]}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}],["$","$L16",null,{}]]

PHP And PDO preventing Javascript injection

Answers (2)

Related Questions