Block javascript and sql-injection attack on the same string

5

I'm receiving data from a form in php via get.

I am handling the information as follows:

$search = mysql_real_escape_string(htmlspecialchars($_GET["t"], ENT_QUOTES, 'UTF-8'));

With this I intend to block attacks by javascript and sql-injection.

The questions are:

  • Is it the best way to block these two types of attacks?
  • htmlspecialchars could somehow negate the effectiveness of the mysql_real_escape_string function?

I have read a lot of topics about these subjects, but each one says one thing and it is not always possible to check whether the information is reliable or not.

    
asked by anonymous 12.04.2014 / 18:13

2 answers

1

PDO or mysqli are best for checking this. Check out Avoid SQL Injection using Prepared Statements in PHP .

Another factor is that mysql_ is deprecated in newer versions of PHP.

Very important in recovery, instead of using $_GET or $_POST , use filter_input() .

    
12.04.2014 / 18:26
1
Protecting against XSS and SQL injection at the same time can be a very complicated task and potentially with many catchy mice that only someone with expertise in DOM and SQL may have the idea of risk. Against SQLi, the documentation is full, but consider the following situations where javascript can be executed:

Properties such as onload, onclick, onblur (...) allow to execute javascript

  

13.04.2014 / 22:13