Page 2 of 2 First 12
  • Jump to page:
    #16
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    I am reading the following articles as am guessing they are what I need to read up on as am guessing it relates to what I am doing

    Donít insert raw values into query strings.

    Donít output raw values or insert them into the HTML page.
  2. #17
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by ianhaney
    I am reading the following articles as am guessing they are what I need
    Yes, those are the articles you'll need.

    And I see you've taken the form offline. That's a good start.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #18
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    cool, lol yeah will learn what needs to be done first and will test it on localhost first and once all working will put it all back online
  6. #19
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    Sorry quick one

    Just reading this line

    $database = new PDO('mysql:host=localhost;dbname=YOURDB;charset=utf8', 'YOURUSER', 'YOURPW', $db_options); // important! specify the character encoding in the DSN string, don't use SET NAMES

    I take it the DSN string is the following and also says not to use set names, guess you mean not use the real dbname, hostname and password?, so how can it be encoded so is not using the set names or do you explain that in the article

    $database = new PDO('mysql:host=localhost;dbname=YOURDB;charset=utf8', 'YOURUSER', 'YOURPW', $db_options);
  8. #20
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    All you need to do is replace the placeholders "YOURDB", "YOURUSER" etc. with your real data.

    The DSN string is the database configuration string starting with "mysql:...". If you want to set the character encoding of the connection, then you must do it in this string using the charset option. You must not use a SET NAMES query. Many bad tutorials suggest this, but it again can make your database code vulnerable to SQL injections.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo