4

Update:

I'm still confused as ever. Can someone please reply to my last comment?

If all my data (+title1+ and +title2+ in this example -- see below) is sanitized using PHP do I need to worry about javascript as well? I'm concerned about my use of title='"+title2+"' (the apostrophes is my concern) in my code below.

html\javascript:

 <div id="verification"></div>

 <script>


function update() {
    $.ajax({
    url: 'update.php', //php          
    data: "", 
    dataType: 'json',   
    success: function (data) {
        //on receive of reply
        var title1 = data[0];
        var title2 = data[1];          

        $('#verification').html("<img src=images/test"+title1+".gif title='"+title2+"'></img>");     //output to html
        }
    });
}

</script>

json response

["1","test test test"]

output (by Mouseover text with Title)

test test test

php (php sanitizing omitted)

$result = mysql_query("SELECT title1, title2 FROM users WHERE username = '$foobar'")
or die(mysql_error());
$array = mysql_fetch_row($result);
echo json_encode($array);
Improve this question
8
  • 2
    Need to explain your issue in more detail. Really not clear what you are asking or what problems you are having Commented Aug 29, 2015 at 21:49
  • I asked if I sanitized the data +title1+ +title2+ previously with PHP if my use of title='"+title2+"' (the apostrophes is my concern) is safe Commented Aug 29, 2015 at 21:50
  • 1
    You should worry more about using deprecated PHP functions mysql_*. Commented Aug 29, 2015 at 21:56
  • Right. I should be using PDO, but what about my question. Commented Aug 29, 2015 at 21:57
  • Could this help you: stackoverflow.com/questions/8318581/… Commented Aug 29, 2015 at 22:03

1 Answer 1

Reset to default
1

There are two different elements that need to be considered:

  • database: use prepared statements (PDO or mysqli) to avoid SQL injection via user input
  • UI: escape user input as required to avoid XSS attacks

While the user input has been 'santizied' for queries against the database through the PDO/mysqli prepared statements, further consideration is required before presenting the user input back on the web page in the browser.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

... and there are even 2nd Level SQL injection attack vectors.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.