Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
I'll take this a step further and suggest he completely disconnect the server from any network.Based on the no capitalization, no punctuation nature of your post, I suggest you stick to static HTML pages with no javascript, database connections, or anything else besides html & images, hosted on a provider that handles all server maintenance for you.
Probably the #1 rule of thumb: Or at least rather important...
Don't trust user data.
That means ANY data that comes from the browser or any remote connection.
For example you have a form with 4 options in a radio set called poll, let's just say A B C an D to be simple. You don't just take the value of $_POST['poll'] and throw it in the database. Nothing stops the user from sending something completely different. Then there's SQL injection. You want to ensure you escape special characters like quotes.
That's just scratching the surface. Stuff like the user agent and referrer are other examples of user data.
Oh and cookies. That's often overlooked.
Yeah but for someone just learning or for a very simple script it possibly would just be direct SQL queries being used, so it's still good to know what to do if submitting them that way.
No, it's better to learn to do it right.
I guess most online tutorials/reference are wrong then.
I guess most online tutorials/reference are wrong then.
Actually that code you pointed out is not vulnerable. It is something I originally considered and for some reason that I don't recall I encoded it in numerical values instead of escaping. Not the most efficient way but it worked till I could revisit it. TBH I did not even know about parameterized queries till now, had to google it, no tutorial I've read ever even mentioned it. There are however tutorials on it specifically but you have to know to actually look for it. So yeah I could have used that but did not know it even existed 3 years ago when I wrote the code.
I also noticed you were stalking me on quite a few websites, but, that's another topic that I don't want to throw in this thread.
I just saw everyone was being rude to OP so offered some basic help.
res = m_connector.Query(String.Format("SET character_set_client = utf8;CREATE TABLE `{1}serializeobjects{0}` (`o_serial` bigint(20) unsigned NOT NULL, `o_subtype` varchar(255) NOT NULL, `o_data` longtext NOT NULL, PRIMARY KEY (`o_serial`)) ENGINE=MyISAM DEFAULT CHARSET=latin1;",i,prefix));
public int SaveDataEntry(SqlDataEntry entry,bool alreadyindb)
{
...
if(entry.IsBlank())
{
queryret = Query(String.Format("DELETE FROM serializeobjects{0} WHERE o_serial='{1}' LIMIT 1;",entry.GetContainerId(),entry.GetSerial()));
}
else if(alreadyindb)
{
queryret = Query(String.Format("UPDATE serializeobjects{0} set o_subtype='{1}', o_data='{2}' WHERE o_serial='{3}'",entry.GetContainerId(),entry.GetSubType(),entry.GetData(),entry.GetSerial()));
}
else
{
queryret = Query(String.Format("INSERT INTO serializeobjects{0}(o_serial,o_subtype,o_data)VALUES('{1}','{2}','{3}')",entry.GetContainerId(),entry.GetSerial(),entry.GetSubType(),entry.GetData()));
}
public class SqlDataEntry
{
...
private string m_data;
...
public string GetData()
{
return m_data;
}
"INSERT INTO serializeobjectsMobiles(o_serial,o_subtype,o_data)VALUES('1234','Mobile',''); DELETE FROM serializeobjectsMobiles; -- ha ha')"
I guess most online tutorials/reference are wrong then.