1

I have a site written in PHP utilizing PDO. I am using the bindParam() function to bind to a sql insert query:

("insert into Table (id, date, data) VALUES (?, ?, ?)")

but I am able to insert a string containing

"<script>window.location="google.com"</script>"

How to prevent this?

Thanks!!!

Improve this question

2 Answers 2

Reset to default
2

PDO is not going to stop you do that. You will need to yourself take care of the string:

  1. If you do not want <script> tags at all, use strip_tags
  2. If you want those tags but don't want them to execute, then use htmlentities
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Assuming you mean

<script>window.location="google.com"</script>

You should worry about injection protection on row display, as you don't want to fill up the database with HTML entities.

Use htmlspecialchars()[1] on pages that display what's on the database.

[1] http://www.php.net/manual/en/function.htmlspecialchars.php

Improve this answer

2 Comments

What do you mean? Shouldn't I prevent these from going into the DB in the first place?
Well you can either filter on input to DB or filter on output to browser, just make sure you don't filter twice. My preference at the moment is to filter on output so as not to have the DB littered with HTML entities.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.