Live search project Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?jQuery plugin $(node).toJSON() - convert html form to JS ObjectHow can I improve my PHP model for my HTML5/JS mobile app?jquery.php plugin security optimization (backend)Form validation - security and input specificationWebsite for updating a divBlog/Forum implementationForms - Ordered fields vs. dynamic iterationsGet all company branches using stored procedureSimple AJAX request applicationusing $_POST array to prepare PDO statement with variables

Combining list in a Cartesian product format with addition operation?

Bash script to execute command with file from directory and condition

How do you cope with tons of web fonts when copying and pasting from web pages?

Weaponising the Grasp-at-a-Distance spell

malloc in main() or malloc in another function: allocating memory for a struct and its members

No invitation for tourist visa but I want to visit

How do I find my Spellcasting Ability for my D&D character?

How to create a button that adds InputFields when clicked?

Why did Bronn offer to be Tyrion Lannister's champion in trial by combat?

Magento 2 Editing phtml files in Production Mode

How can I list files in reverse time order by a command and pass them as arguments to another command?

Unicode symbols with XeLaTeX and Lato font

Am I allowed to enjoy work while following the path of Karma Yoga?

Can I feed enough spin up electron to a black hole to affect it's angular momentum?

Pointing to problems without suggesting solutions

Restricting the Object Type for the get method in java HashMap

Understanding piped commands in GNU/Linux

Noise in Eigenvalues plot

Can I cut the hair of a conjured korred with a blade made of precious material to harvest that material from the korred?

Can stored/leased 737s be used to substitute for grounded MAXs?

Are there any irrational/transcendental numbers for which the distribution of decimal digits is not uniform?

Who's this lady in the war room?

Can anyone explain what's the meaning of this in the new Game of Thrones opening animations?

What helicopter has the most rotor blades?



Live search project



Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?jQuery plugin $(node).toJSON() - convert html form to JS ObjectHow can I improve my PHP model for my HTML5/JS mobile app?jquery.php plugin security optimization (backend)Form validation - security and input specificationWebsite for updating a divBlog/Forum implementationForms - Ordered fields vs. dynamic iterationsGet all company branches using stored procedureSimple AJAX request applicationusing $_POST array to prepare PDO statement with variables



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0












$begingroup$


I have a live search project and I don't know if it's secure enough or not. I don't access it directly, but I get data by JSON so I shouldn't worry about slashes or quotes, right?



The PHP code:



<?php
if (isset($it_server)) 
 class search
 public function gettingvalues($search_value)
 require_once('db_conx.php');
 $dir = "usersimage/";
 $search_value = htmlspecialchars($search_value,ENT_QUOTES,'UTF-8');
 $sql = "SELECT name,img,username FROM users WHERE username like '$search_value%' 
 
else
 header('location: 404');
 die();

?>


I call the function from index.php:



<?php
 $its_server = 'yes';
 if (isset($_POST['data'])) 
 require('search.php');
 $search = new search;
 $search->gettingvalues($_POST['data']);
 header('Content-Type: application/json; charset=utf-8');
 die();
 
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
 $(document).ready(function()
 $('input').keyup(function()
 var value= $('input').val();
 $.ajax(
 type: "POST",
 url: "",
 data: data: value,
 datatype: "json",
 success: function(json_data) 
 var img = [];
 var username = [];
 var name = [];
 var html = '';
 $.each(json_data, function(index, e) 
 if (e.error) 
 html += `$e.error`;
 else
 html += `$e.name $e.username $e.img<br>`;
 
 )
 $("#feedback").html(html);
 
 )
 );
 );
</script>
<input type="text" name="search" placeholder="looking for?">
<div id="feedback"></div>


I don't know if I'm doing well with security or not and it's a big deal to me. So what you see from 1-10, how secure is my page?






php json ajax







share|improve this question









$endgroup$




bumped to the homepage by Community 25 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.














  • $begingroup$
    It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 8:28










  • $begingroup$
    Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
    $endgroup$
    – KIKO Software
    Jun 28 '18 at 15:49

















0












$begingroup$


I have a live search project and I don't know if it's secure enough or not. I don't access it directly, but I get data by JSON so I shouldn't worry about slashes or quotes, right?



The PHP code:



<?php
if (isset($it_server)) 
 class search
 public function gettingvalues($search_value)
 require_once('db_conx.php');
 $dir = "usersimage/";
 $search_value = htmlspecialchars($search_value,ENT_QUOTES,'UTF-8');
 $sql = "SELECT name,img,username FROM users WHERE username like '$search_value%' 
 
else
 header('location: 404');
 die();

?>


I call the function from index.php:



<?php
 $its_server = 'yes';
 if (isset($_POST['data'])) 
 require('search.php');
 $search = new search;
 $search->gettingvalues($_POST['data']);
 header('Content-Type: application/json; charset=utf-8');
 die();
 
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
 $(document).ready(function()
 $('input').keyup(function()
 var value= $('input').val();
 $.ajax(
 type: "POST",
 url: "",
 data: data: value,
 datatype: "json",
 success: function(json_data) 
 var img = [];
 var username = [];
 var name = [];
 var html = '';
 $.each(json_data, function(index, e) 
 if (e.error) 
 html += `$e.error`;
 else
 html += `$e.name $e.username $e.img<br>`;
 
 )
 $("#feedback").html(html);
 
 )
 );
 );
</script>
<input type="text" name="search" placeholder="looking for?">
<div id="feedback"></div>


I don't know if I'm doing well with security or not and it's a big deal to me. So what you see from 1-10, how secure is my page?






php json ajax







share|improve this question









$endgroup$




bumped to the homepage by Community 25 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.














  • $begingroup$
    It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 8:28










  • $begingroup$
    Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
    $endgroup$
    – KIKO Software
    Jun 28 '18 at 15:49













0












0








0


1



$begingroup$


I have a live search project and I don't know if it's secure enough or not. I don't access it directly, but I get data by JSON so I shouldn't worry about slashes or quotes, right?



The PHP code:



<?php
if (isset($it_server)) 
 class search
 public function gettingvalues($search_value)
 require_once('db_conx.php');
 $dir = "usersimage/";
 $search_value = htmlspecialchars($search_value,ENT_QUOTES,'UTF-8');
 $sql = "SELECT name,img,username FROM users WHERE username like '$search_value%' 
 
else
 header('location: 404');
 die();

?>


I call the function from index.php:



<?php
 $its_server = 'yes';
 if (isset($_POST['data'])) 
 require('search.php');
 $search = new search;
 $search->gettingvalues($_POST['data']);
 header('Content-Type: application/json; charset=utf-8');
 die();
 
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
 $(document).ready(function()
 $('input').keyup(function()
 var value= $('input').val();
 $.ajax(
 type: "POST",
 url: "",
 data: data: value,
 datatype: "json",
 success: function(json_data) 
 var img = [];
 var username = [];
 var name = [];
 var html = '';
 $.each(json_data, function(index, e) 
 if (e.error) 
 html += `$e.error`;
 else
 html += `$e.name $e.username $e.img<br>`;
 
 )
 $("#feedback").html(html);
 
 )
 );
 );
</script>
<input type="text" name="search" placeholder="looking for?">
<div id="feedback"></div>


I don't know if I'm doing well with security or not and it's a big deal to me. So what you see from 1-10, how secure is my page?






php json ajax







share|improve this question









$endgroup$




I have a live search project and I don't know if it's secure enough or not. I don't access it directly, but I get data by JSON so I shouldn't worry about slashes or quotes, right?



The PHP code:



<?php
if (isset($it_server)) 
 class search
 public function gettingvalues($search_value)
 require_once('db_conx.php');
 $dir = "usersimage/";
 $search_value = htmlspecialchars($search_value,ENT_QUOTES,'UTF-8');
 $sql = "SELECT name,img,username FROM users WHERE username like '$search_value%' 
 
else
 header('location: 404');
 die();

?>


I call the function from index.php:



<?php
 $its_server = 'yes';
 if (isset($_POST['data'])) 
 require('search.php');
 $search = new search;
 $search->gettingvalues($_POST['data']);
 header('Content-Type: application/json; charset=utf-8');
 die();
 
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
 $(document).ready(function()
 $('input').keyup(function()
 var value= $('input').val();
 $.ajax(
 type: "POST",
 url: "",
 data: data: value,
 datatype: "json",
 success: function(json_data) 
 var img = [];
 var username = [];
 var name = [];
 var html = '';
 $.each(json_data, function(index, e) 
 if (e.error) 
 html += `$e.error`;
 else
 html += `$e.name $e.username $e.img<br>`;
 
 )
 $("#feedback").html(html);
 
 )
 );
 );
</script>
<input type="text" name="search" placeholder="looking for?">
<div id="feedback"></div>


I don't know if I'm doing well with security or not and it's a big deal to me. So what you see from 1-10, how secure is my page?






php json ajax




php json ajax






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jun 26 '18 at 5:47







user172643












bumped to the homepage by Community 25 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 25 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.













  • $begingroup$
    It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 8:28










  • $begingroup$
    Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
    $endgroup$
    – KIKO Software
    Jun 28 '18 at 15:49
















  • $begingroup$
    It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 8:28










  • $begingroup$
    Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
    $endgroup$
    – KIKO Software
    Jun 28 '18 at 15:49















$begingroup$
It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:28




$begingroup$
It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:28












$begingroup$
Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
$endgroup$
– KIKO Software
Jun 28 '18 at 15:49




$begingroup$
Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
$endgroup$
– KIKO Software
Jun 28 '18 at 15:49










1 Answer
1






active

oldest

votes


















0












$begingroup$

One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars(), there are still some ways to circumvent it, as shown in Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?.



Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.



Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.






share|improve this answer











$endgroup$












  • $begingroup$
    To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 7:12










  • $begingroup$
    @YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
    $endgroup$
    – Tobias F.
    Jun 26 '18 at 7:20










  • $begingroup$
    I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
    $endgroup$
    – user172643
    Jun 26 '18 at 7:42







  • 2




    $begingroup$
    I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
    $endgroup$
    – Toby Speight
    Jun 26 '18 at 8:18






  • 1




    $begingroup$
    @AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 8:26











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "196"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f197252%2flive-search-project%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown
























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0












$begingroup$

One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars(), there are still some ways to circumvent it, as shown in Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?.



Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.



Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.






share|improve this answer











$endgroup$












  • $begingroup$
    To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 7:12










  • $begingroup$
    @YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
    $endgroup$
    – Tobias F.
    Jun 26 '18 at 7:20










  • $begingroup$
    I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
    $endgroup$
    – user172643
    Jun 26 '18 at 7:42







  • 2




    $begingroup$
    I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
    $endgroup$
    – Toby Speight
    Jun 26 '18 at 8:18






  • 1




    $begingroup$
    @AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 8:26















0












$begingroup$

One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars(), there are still some ways to circumvent it, as shown in Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?.



Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.



Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.






share|improve this answer











$endgroup$












  • $begingroup$
    To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 7:12










  • $begingroup$
    @YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
    $endgroup$
    – Tobias F.
    Jun 26 '18 at 7:20










  • $begingroup$
    I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
    $endgroup$
    – user172643
    Jun 26 '18 at 7:42







  • 2




    $begingroup$
    I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
    $endgroup$
    – Toby Speight
    Jun 26 '18 at 8:18






  • 1




    $begingroup$
    @AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 8:26













0












0








0





$begingroup$

One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars(), there are still some ways to circumvent it, as shown in Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?.



Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.



Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.






share|improve this answer











$endgroup$



One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars(), there are still some ways to circumvent it, as shown in Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?.



Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.



Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jun 26 '18 at 8:21









Toby Speight

27.7k742120




27.7k742120










answered Jun 26 '18 at 7:07









Tobias F.Tobias F.

1093




1093











  • $begingroup$
    To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 7:12










  • $begingroup$
    @YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
    $endgroup$
    – Tobias F.
    Jun 26 '18 at 7:20










  • $begingroup$
    I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
    $endgroup$
    – user172643
    Jun 26 '18 at 7:42







  • 2




    $begingroup$
    I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
    $endgroup$
    – Toby Speight
    Jun 26 '18 at 8:18






  • 1




    $begingroup$
    @AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 8:26
















  • $begingroup$
    To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 7:12










  • $begingroup$
    @YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
    $endgroup$
    – Tobias F.
    Jun 26 '18 at 7:20










  • $begingroup$
    I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
    $endgroup$
    – user172643
    Jun 26 '18 at 7:42







  • 2




    $begingroup$
    I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
    $endgroup$
    – Toby Speight
    Jun 26 '18 at 8:18






  • 1




    $begingroup$
    @AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
    $endgroup$
    – Your Common Sense
    Jun 26 '18 at 8:26















$begingroup$
To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
$endgroup$
– Your Common Sense
Jun 26 '18 at 7:12




$begingroup$
To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
$endgroup$
– Your Common Sense
Jun 26 '18 at 7:12












$begingroup$
@YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
$endgroup$
– Tobias F.
Jun 26 '18 at 7:20




$begingroup$
@YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
$endgroup$
– Tobias F.
Jun 26 '18 at 7:20












$begingroup$
I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
$endgroup$
– user172643
Jun 26 '18 at 7:42





$begingroup$
I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
$endgroup$
– user172643
Jun 26 '18 at 7:42





2




2




$begingroup$
I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
$endgroup$
– Toby Speight
Jun 26 '18 at 8:18




$begingroup$
I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
$endgroup$
– Toby Speight
Jun 26 '18 at 8:18




1




1




$begingroup$
@AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:26




$begingroup$
@AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:26

















draft saved

draft discarded
















































Thanks for contributing an answer to Code Review Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f197252%2flive-search-project%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

名間水力發電廠 目录 沿革 設施 鄰近設施 註釋 外部連結 导航菜单23°50′10″N 120°42′41″E / 23.83611°N 120.71139°E / 23.83611; 120.7113923°50′10″N 120°42′41″E / 23.83611°N 120.71139°E / 23.83611; 120.71139計畫概要原始内容臺灣第一座BOT 模式開發的水力發電廠-名間水力電廠名間水力發電廠 水利署首件BOT案原始内容《小檔案》名間電廠 首座BOT水力發電廠原始内容名間電廠BOT - 經濟部水利署中區水資源局

Image
東螺溪清水溪加走寮溪阿里山溪東埔蚋溪獅尾堀清水溪清水溝溪水里溪陳有蘭溪郡坑溪十八重溪那馬嘎班溪松柏坑溪卓棍溪瓠瓢坑溪益則坑溪玉崙溪丹大溪郡大溪巒大溪卡社溪栗栖溪萬大溪萬大北溪萬大南溪霧社溪塔羅灣溪馬赫坡溪萬大發電廠大觀發電廠日月潭第一發電所明潭發電廠鉅工分廠水里機組濁水機組名間水力發電廠西濱大橋自強大橋高鐵濁水溪橋西螺大橋溪州大橋中沙大橋彰雲大橋台鐵濁水溪橋國道三號濁水溪橋名竹大橋集集橋集鹿大橋玉峰大橋永興橋龍神橋靜和橋寶石橋雙龍橋雙龍吊橋孫海橋思源橋松林橋親愛橋濁水溪橋德魯灣橋雲龍橋 名間鄉臺灣水力發電廠 臺灣水力發電廠南投縣名間鄉集集攔河堰集集攔河堰濁水溪台灣BOT水力發電廠經濟部經濟部水利署集集攔河堰名間鄉名間水力公司日本關西電力公頃台灣電力公司 body.skin-minerva .mw-parser-output table.infobox captiontext-align:center 名間水力發電廠 名間水力發電廠 名間水力發電廠在臺灣的位置 國家   中華民國 位置 南投縣名間鄉濁水村 坐標 23°50′10″N 120°42′41″E  /  23.83611°N 120.71139°E  / 23.83611; 120.71139 坐标: 23°50′10″N 120°42′41″E  /  23.83611°N 120.71139°E  / 23.83611; 120.71139 現況 運轉中 始建日期 2004年 啟用日期 2007年 建造費用 新台幣832,858,000元 持有單位 經濟部水利署 运营单位 名間水力公司 建造者 名間水力公司 設計監造:中興工程顧問公司 機電工程:大將作公司 土建工程:順達營造工程公司 慣常式水力發電 水力發電形式 川流式水力發電 取水來源 濁水溪 發電機型號 額定容量9280kV,同步發電機兩部 水輪機型號 豎軸卡布蘭式水輪機兩部 廠房類型 半地下式 壓力鋼管 兩條,長113公尺、直徑4公尺 水頭高度 有效落差31.0公尺 用水量 單部:16.704CMS 兩部:33CMS 發電概況 额定容量 16.704MW 年发电量 每年約7,594萬度 名間水力發電廠 ,是臺灣一座小型水力發電廠,位於南投縣名間鄉濁水村集集攔河堰下游五公里,於2007年啟用,係利用集集攔河堰截取濁水溪之水源發電
Read more

Prove that NP is closed under karp reduction?Space(n) not closed under Karp reductions - what about NTime(n)?Class P is closed under rotation?Prove or disprove that $NL$ is closed under polynomial many-one reductions$mathbfNC_2$ is closed under log-space reductionOn Karp reductionwhen can I know if a class (complexity) is closed under reduction (cook/karp)Check if class $PSPACE$ is closed under polyonomially space reductionIs NPSPACE also closed under polynomial-time reduction and under log-space reduction?Prove PSPACE is closed under complement?Prove PSPACE is closed under union?

Image
Is a conference paper whose proceedings will be published in IEEE Xplore counted as a publication? Prove that NP is closed under karp reduction? Is it important to consider tone, melody, and musical form while writing a song? How is it possible to have an ability score that is less than 3? Can I make popcorn with any corn? Mathematical cryptic clues tikz: show 0 at the axis origin Minkowski space can i play a electric guitar through a bass amp? Why not use SQL instead of GraphQL? How can I prevent hyper evolved versions of regular creatures from wiping out their cousins? How old can references or sources in a thesis be? Do VLANs within a subnet need to have their own subnet for router on a stick? How to add double frame in tcolorbox? How much RAM could one put in a typical 80386 setup? "You are your self first supporter", a more proper way to say it How is the claim "I am in New York only if I am in America" the same as "If I am
Read more

Is my guitar’s action too high? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)Strings too stiff on a recently purchased acoustic guitar | Cort AD880CEIs the action of my guitar really high?Μy little finger is too weak to play guitarWith guitar, how long should I give my fingers to strengthen / callous?When playing a fret the guitar sounds mutedPlaying (Barre) chords up the guitar neckI think my guitar strings are wound too tight and I can't play barre chordsF barre chord on an SG guitarHow to find to the right strings of a barre chord by feel?High action on higher fret on my steel acoustic guitar

Image
Is the Mordenkainen's Sword spell underpowered? Escaping $ in listings environment Short story about astronauts fertilizing soil with their own bodies No invitation for tourist visa but I want to visit Do regular languages belong to Space(1)? Can I take recommendation from someone I met at a conference? How to name indistinguishable henchmen in a screenplay? Found this skink in my tomato plant bucket. Is he trapped? Or could he leave if he wanted? How can I prevent/balance waiting and turtling as a response to cooldown mechanics Can I feed enough spin up electron to a black hole to affect it's angular momentum? Why does BitLocker not use RSA? Is my guitar’s action too high? Does GDPR cover the collection of data by websites that crawl the web and resell user data Trying to enter the Fox's den How to achieve cat-like agility? "Destructive power" carried by a B-52? Should man-made satellites feature an intelligent inverted "cow c
Read more