+ 1

Is it a security risk to run un-escaped user input through a loop condition?

I want to check if the user's used special characters in a form field or not. I've created some code to check this but I'm not sure if it leaves the database open to injections or whether this is just generally bad practice and there's just a much better way of doing this... https://code.sololearn.com/wgIdk6wgxD4W/?ref=app I'd prefer genuine solutions apposed to work-arounds if possible

sql server-side php mysql security mysqli back-end sql-injections

24th Nov 2018, 4:11 PM

Jacob

5 Answers

+ 1

The answer is yes it is and the built in way to avoid doing this is stype_alnum($input) which returns true if the string only uses alpha-numeric characters

5th Dec 2018, 9:07 AM

Jacob

+ 2

Here's someone else's approach: Change the permissions associated with the user: https://stackoverflow.com/questions/14370670/which-characters-are-actually-capable-of-causing-sql-injection-in-mysql

24th Nov 2018, 10:00 PM

Jonathan Shiell

+ 1

Isaac Pace I did notice that. It's just because playground isn't connected to the mysqli_ api

25th Nov 2018, 2:41 AM

Jacob

At the moment you have an error in your sample code.

24th Nov 2018, 5:37 PM

Isaac Pace

Jonathan Shiell I'm not sure which part of the article you're referring to by "Change the permissions associated with the user" in relation to my question however, you've given me an idea that might work. Maybe I could use some AJAX to prevent the user from post submitting special characters in the first place...

25th Nov 2018, 2:48 AM

Jacob