{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 家丑人穷心不美 的问题《Does htmlspecialchars protect this MySQL query?》','https://www.manongdao.com/q-1076347.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I got a $_GET and users are able to send the $_GET string to the MySQL, so quick question:
Is this query:
mysql_query("SELECT XX FROM ZZ WHERE YY %LIKE% " . htmlspecialchars($_get['string']) . ";");
enough to be safe? or I should add something more than htmlspecialchars() to be safe?
Thank you in advance for all replies.
Unsafe.
Trivial example data that even shows htmlspecialchars doing "it's thing" -- it's just the wrong "thing".
Happy coding.
Solution: Use placeholders as per PDO or mysqli (or use
mysql_real_escape_stringif you wish to keep promoting outdated practices...)See Best way to stop SQL injection in PHP and Prevent injection SQL with PHP and Can SQL injection be prevented with just addslashes?
It's probably unsafe, and you'd better use mysql_real_escape_string.
htmlspecialcharshas nothing to do with MySQL. It's for escaping HTML special characters, characters that have special meaning when evaultated as HTML. You should use it before you write untrusted data to the browser, not to the database.You need to remove
htmlspecialcharsentirely, and usemysql_real_escape_string, or better yet, PDO.