I got a $_GET and users are able to send the $_GET string to the MySQL, so quick question:
Is this query:
mysql_query("SELECT XX FROM ZZ WHERE YY %LIKE% " . htmlspecialchars($_get['string']) . ";");
enough to be safe? or I should add something more than htmlspecialchars() to be safe?
Thank you in advance for all replies.
解决方案
Unsafe.
Trivial example data that even shows htmlspecialchars doing "it's thing" -- it's just the wrong "thing".
1;DROP TABLE all_your_precious_data--&
Happy coding.
Solution: Use placeholders as per PDO or mysqli (or use mysql_real_escape_string if you wish to keep promoting outdated practices...)