Except where otherwise noted, the contents of this presentation are Copyright 2009 Marty Stepp, Jessica Miller, and Kevin Wallace.
a flaw where a user is able to inject arbitrary HTML content into your page
results.php?name=<blink>lololol</blink>
onlinebanking.php?text=<script>transferMoneyTo("Evil Kevin", 1000, "USD");</script>
htmlspecialchars
function escapes HTML characters:
<?= htmlspecialchars($username) ?>
a flaw where the user is able to inject arbitrary SQL commands into your query
$query = "SELECT name, ssn, dob FROM users
WHERE username = '$username' AND password = '$password'";
$query = "SELECT name, ssn, dob FROM users
WHERE username = '$username' AND password = '' OR '1'='1'";
mysql_real_escape_string
function
$username = mysql_real_escape_string($_REQUEST["username"]); $password = mysql_real_escape_string($_REQUEST["password"]); $query = "SELECT name, ssn, dob FROM users WHERE username = '$username' AND password = '$password'";