Live search project Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?jQuery plugin $(node).toJSON() - convert html form to JS ObjectHow can I improve my PHP model for my HTML5/JS mobile app?jquery.php plugin security optimization (backend)Form validation - security and input specificationWebsite for updating a divBlog/Forum implementationForms - Ordered fields vs. dynamic iterationsGet all company branches using stored procedureSimple AJAX request applicationusing $_POST array to prepare PDO statement with variables
Combining list in a Cartesian product format with addition operation?
Bash script to execute command with file from directory and condition
How do you cope with tons of web fonts when copying and pasting from web pages?
Weaponising the Grasp-at-a-Distance spell
malloc in main() or malloc in another function: allocating memory for a struct and its members
No invitation for tourist visa but I want to visit
How do I find my Spellcasting Ability for my D&D character?
How to create a button that adds InputFields when clicked?
Why did Bronn offer to be Tyrion Lannister's champion in trial by combat?
Magento 2 Editing phtml files in Production Mode
How can I list files in reverse time order by a command and pass them as arguments to another command?
Unicode symbols with XeLaTeX and Lato font
Am I allowed to enjoy work while following the path of Karma Yoga?
Can I feed enough spin up electron to a black hole to affect it's angular momentum?
Pointing to problems without suggesting solutions
Restricting the Object Type for the get method in java HashMap
Understanding piped commands in GNU/Linux
Noise in Eigenvalues plot
Can I cut the hair of a conjured korred with a blade made of precious material to harvest that material from the korred?
Can stored/leased 737s be used to substitute for grounded MAXs?
Are there any irrational/transcendental numbers for which the distribution of decimal digits is not uniform?
Who's this lady in the war room?
Can anyone explain what's the meaning of this in the new Game of Thrones opening animations?
What helicopter has the most rotor blades?
Live search project
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?jQuery plugin $(node).toJSON() - convert html form to JS ObjectHow can I improve my PHP model for my HTML5/JS mobile app?jquery.php plugin security optimization (backend)Form validation - security and input specificationWebsite for updating a divBlog/Forum implementationForms - Ordered fields vs. dynamic iterationsGet all company branches using stored procedureSimple AJAX request applicationusing $_POST array to prepare PDO statement with variables
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
I have a live search project and I don't know if it's secure enough or not. I don't access it directly, but I get data by JSON so I shouldn't worry about slashes or quotes, right?
The PHP code:
<?php
if (isset($it_server))
class search
public function gettingvalues($search_value)
require_once('db_conx.php');
$dir = "usersimage/";
$search_value = htmlspecialchars($search_value,ENT_QUOTES,'UTF-8');
$sql = "SELECT name,img,username FROM users WHERE username like '$search_value%'
else
header('location: 404');
die();
?>
I call the function from index.php:
<?php
$its_server = 'yes';
if (isset($_POST['data']))
require('search.php');
$search = new search;
$search->gettingvalues($_POST['data']);
header('Content-Type: application/json; charset=utf-8');
die();
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function()
$('input').keyup(function()
var value= $('input').val();
$.ajax(
type: "POST",
url: "",
data: data: value,
datatype: "json",
success: function(json_data)
var img = [];
var username = [];
var name = [];
var html = '';
$.each(json_data, function(index, e)
if (e.error)
html += `$e.error`;
else
html += `$e.name $e.username $e.img<br>`;
)
$("#feedback").html(html);
)
);
);
</script>
<input type="text" name="search" placeholder="looking for?">
<div id="feedback"></div>
I don't know if I'm doing well with security or not and it's a big deal to me. So what you see from 1-10, how secure is my page?
php json ajax
$endgroup$
bumped to the homepage by Community♦ 25 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
$begingroup$
I have a live search project and I don't know if it's secure enough or not. I don't access it directly, but I get data by JSON so I shouldn't worry about slashes or quotes, right?
The PHP code:
<?php
if (isset($it_server))
class search
public function gettingvalues($search_value)
require_once('db_conx.php');
$dir = "usersimage/";
$search_value = htmlspecialchars($search_value,ENT_QUOTES,'UTF-8');
$sql = "SELECT name,img,username FROM users WHERE username like '$search_value%'
else
header('location: 404');
die();
?>
I call the function from index.php:
<?php
$its_server = 'yes';
if (isset($_POST['data']))
require('search.php');
$search = new search;
$search->gettingvalues($_POST['data']);
header('Content-Type: application/json; charset=utf-8');
die();
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function()
$('input').keyup(function()
var value= $('input').val();
$.ajax(
type: "POST",
url: "",
data: data: value,
datatype: "json",
success: function(json_data)
var img = [];
var username = [];
var name = [];
var html = '';
$.each(json_data, function(index, e)
if (e.error)
html += `$e.error`;
else
html += `$e.name $e.username $e.img<br>`;
)
$("#feedback").html(html);
)
);
);
</script>
<input type="text" name="search" placeholder="looking for?">
<div id="feedback"></div>
I don't know if I'm doing well with security or not and it's a big deal to me. So what you see from 1-10, how secure is my page?
php json ajax
$endgroup$
bumped to the homepage by Community♦ 25 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
$begingroup$
It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:28
$begingroup$
Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
$endgroup$
– KIKO Software
Jun 28 '18 at 15:49
add a comment |
$begingroup$
I have a live search project and I don't know if it's secure enough or not. I don't access it directly, but I get data by JSON so I shouldn't worry about slashes or quotes, right?
The PHP code:
<?php
if (isset($it_server))
class search
public function gettingvalues($search_value)
require_once('db_conx.php');
$dir = "usersimage/";
$search_value = htmlspecialchars($search_value,ENT_QUOTES,'UTF-8');
$sql = "SELECT name,img,username FROM users WHERE username like '$search_value%'
else
header('location: 404');
die();
?>
I call the function from index.php:
<?php
$its_server = 'yes';
if (isset($_POST['data']))
require('search.php');
$search = new search;
$search->gettingvalues($_POST['data']);
header('Content-Type: application/json; charset=utf-8');
die();
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function()
$('input').keyup(function()
var value= $('input').val();
$.ajax(
type: "POST",
url: "",
data: data: value,
datatype: "json",
success: function(json_data)
var img = [];
var username = [];
var name = [];
var html = '';
$.each(json_data, function(index, e)
if (e.error)
html += `$e.error`;
else
html += `$e.name $e.username $e.img<br>`;
)
$("#feedback").html(html);
)
);
);
</script>
<input type="text" name="search" placeholder="looking for?">
<div id="feedback"></div>
I don't know if I'm doing well with security or not and it's a big deal to me. So what you see from 1-10, how secure is my page?
php json ajax
$endgroup$
I have a live search project and I don't know if it's secure enough or not. I don't access it directly, but I get data by JSON so I shouldn't worry about slashes or quotes, right?
The PHP code:
<?php
if (isset($it_server))
class search
public function gettingvalues($search_value)
require_once('db_conx.php');
$dir = "usersimage/";
$search_value = htmlspecialchars($search_value,ENT_QUOTES,'UTF-8');
$sql = "SELECT name,img,username FROM users WHERE username like '$search_value%'
else
header('location: 404');
die();
?>
I call the function from index.php:
<?php
$its_server = 'yes';
if (isset($_POST['data']))
require('search.php');
$search = new search;
$search->gettingvalues($_POST['data']);
header('Content-Type: application/json; charset=utf-8');
die();
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function()
$('input').keyup(function()
var value= $('input').val();
$.ajax(
type: "POST",
url: "",
data: data: value,
datatype: "json",
success: function(json_data)
var img = [];
var username = [];
var name = [];
var html = '';
$.each(json_data, function(index, e)
if (e.error)
html += `$e.error`;
else
html += `$e.name $e.username $e.img<br>`;
)
$("#feedback").html(html);
)
);
);
</script>
<input type="text" name="search" placeholder="looking for?">
<div id="feedback"></div>
I don't know if I'm doing well with security or not and it's a big deal to me. So what you see from 1-10, how secure is my page?
php json ajax
php json ajax
asked Jun 26 '18 at 5:47
user172643
bumped to the homepage by Community♦ 25 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 25 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
$begingroup$
It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:28
$begingroup$
Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
$endgroup$
– KIKO Software
Jun 28 '18 at 15:49
add a comment |
$begingroup$
It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:28
$begingroup$
Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
$endgroup$
– KIKO Software
Jun 28 '18 at 15:49
$begingroup$
It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:28
$begingroup$
It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:28
$begingroup$
Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
$endgroup$
– KIKO Software
Jun 28 '18 at 15:49
$begingroup$
Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
$endgroup$
– KIKO Software
Jun 28 '18 at 15:49
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars()
, there are still some ways to circumvent it, as shown in Is htmlspecialchars
enough to prevent an SQL injection on a variable enclosed in single quotes?.
Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.
Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.
$endgroup$
$begingroup$
To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
$endgroup$
– Your Common Sense
Jun 26 '18 at 7:12
$begingroup$
@YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
$endgroup$
– Tobias F.
Jun 26 '18 at 7:20
$begingroup$
I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
$endgroup$
– user172643
Jun 26 '18 at 7:42
2
$begingroup$
I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
$endgroup$
– Toby Speight
Jun 26 '18 at 8:18
1
$begingroup$
@AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:26
|
show 3 more comments
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "196"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f197252%2flive-search-project%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars()
, there are still some ways to circumvent it, as shown in Is htmlspecialchars
enough to prevent an SQL injection on a variable enclosed in single quotes?.
Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.
Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.
$endgroup$
$begingroup$
To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
$endgroup$
– Your Common Sense
Jun 26 '18 at 7:12
$begingroup$
@YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
$endgroup$
– Tobias F.
Jun 26 '18 at 7:20
$begingroup$
I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
$endgroup$
– user172643
Jun 26 '18 at 7:42
2
$begingroup$
I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
$endgroup$
– Toby Speight
Jun 26 '18 at 8:18
1
$begingroup$
@AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:26
|
show 3 more comments
$begingroup$
One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars()
, there are still some ways to circumvent it, as shown in Is htmlspecialchars
enough to prevent an SQL injection on a variable enclosed in single quotes?.
Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.
Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.
$endgroup$
$begingroup$
To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
$endgroup$
– Your Common Sense
Jun 26 '18 at 7:12
$begingroup$
@YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
$endgroup$
– Tobias F.
Jun 26 '18 at 7:20
$begingroup$
I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
$endgroup$
– user172643
Jun 26 '18 at 7:42
2
$begingroup$
I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
$endgroup$
– Toby Speight
Jun 26 '18 at 8:18
1
$begingroup$
@AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:26
|
show 3 more comments
$begingroup$
One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars()
, there are still some ways to circumvent it, as shown in Is htmlspecialchars
enough to prevent an SQL injection on a variable enclosed in single quotes?.
Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.
Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.
$endgroup$
One quite big security issue I see here is your vulnerability to SQL-Injection attacks. Even when you use htmlspecialchars()
, there are still some ways to circumvent it, as shown in Is htmlspecialchars
enough to prevent an SQL injection on a variable enclosed in single quotes?.
Basically, you are allowing the user to directly manipulate the SQL-Query, which has to be prevented. For this case, there are Prepared Statements, which - if used correctly - will prevent the user from doing anything nasty with your database. There is an answer to How can I prevent SQL injection in PHP? regarding this topic, so I suggest you read and understand that.
Also, you might have a look at the manual to learn more about prepared statements using either mysqli or PDO.
edited Jun 26 '18 at 8:21
Toby Speight
27.7k742120
27.7k742120
answered Jun 26 '18 at 7:07
Tobias F.Tobias F.
1093
1093
$begingroup$
To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
$endgroup$
– Your Common Sense
Jun 26 '18 at 7:12
$begingroup$
@YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
$endgroup$
– Tobias F.
Jun 26 '18 at 7:20
$begingroup$
I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
$endgroup$
– user172643
Jun 26 '18 at 7:42
2
$begingroup$
I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
$endgroup$
– Toby Speight
Jun 26 '18 at 8:18
1
$begingroup$
@AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:26
|
show 3 more comments
$begingroup$
To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
$endgroup$
– Your Common Sense
Jun 26 '18 at 7:12
$begingroup$
@YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
$endgroup$
– Tobias F.
Jun 26 '18 at 7:20
$begingroup$
I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
$endgroup$
– user172643
Jun 26 '18 at 7:42
2
$begingroup$
I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
$endgroup$
– Toby Speight
Jun 26 '18 at 8:18
1
$begingroup$
@AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:26
$begingroup$
To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
$endgroup$
– Your Common Sense
Jun 26 '18 at 7:12
$begingroup$
To me, this is more a comment than answer, boils down to a single SO link. And a confused one. What does it mean, "Nothing is 100% secure"? Got any evidence of gain access to a database if secured correctly?
$endgroup$
– Your Common Sense
Jun 26 '18 at 7:12
$begingroup$
@YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
$endgroup$
– Tobias F.
Jun 26 '18 at 7:20
$begingroup$
@YourCommonSense The "Not 100%" part is more something obligatory to me, as you can't guarantee 100%, but as far as i know there is no way to bypass the current "correct" way :) I also wasn't sure whether this counts as a full answer, but it seemed to be too much for a comment to me.
$endgroup$
– Tobias F.
Jun 26 '18 at 7:20
$begingroup$
I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
$endgroup$
– user172643
Jun 26 '18 at 7:42
$begingroup$
I think that Prepared Statements won't do anything for me, because index.php transfer json type data (utf-8). What do you think?
$endgroup$
– user172643
Jun 26 '18 at 7:42
2
2
$begingroup$
I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
$endgroup$
– Toby Speight
Jun 26 '18 at 8:18
$begingroup$
I think that "Use prepared statements where you can," is a good code review observation and worthy of an answer. It would be better to show what you'd do, as well as linking to those good resources.
$endgroup$
– Toby Speight
Jun 26 '18 at 8:18
1
1
$begingroup$
@AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:26
$begingroup$
@AhmadSalameh you are supposed to read the links provided in the answer. "Do i need to use prepared statements" is not a question for a code review. It is not about making your code better but about you understanding very basic principles. Which you are supposed to learn for answers on Stack Overflow.
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:26
|
show 3 more comments
Thanks for contributing an answer to Code Review Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f197252%2flive-search-project%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
It makes me wonder where did you get the idea that JSON is any related to SQL. This statement is like "I washed my hands, so I can go cross a road anywhere, no car will hit me because I am protected from germs".
$endgroup$
– Your Common Sense
Jun 26 '18 at 8:28
$begingroup$
Getting data by json, through jqeury, still exposes your 'live search' to the outside world, with all the security implications of that.
$endgroup$
– KIKO Software
Jun 28 '18 at 15:49