I have some data being fetched from a database (that is sanitised on the way in to the database with a prepared statement). When using this data I thought I'd have to use the htmlspecialchars() function, but having used a password which contained special characters this broke the code because it obviously turned the < into an html entity.
Am I correct in thinking if the code is sanitised going into the database, and isn't being physically outputted on to the html page, I don't have to add any extra security to what I have below?
I initially wrapped the code inside the while loop in the htmlspecialchars() e.g. $db_id = htmlspecialchars($row['ID']); which is how I found it was breaking the code.
I am new to PHP so please be kind :)
if (isset($_POST['login'])) { $email = $_POST['email']; $stmt = $connection->prepare("SELECT * FROM users WHERE email = ? "); $stmt->bind_param("s", $email ); $stmt->execute(); $result = $stmt->get_result(); // assign columns from the database to variables while ($row = mysqli_fetch_array($result)) { $db_id = $row['ID']; $db_firstname = $row['firstname']; $db_email = $row['email']; $db_password = $row['password']; } $stmt->close(); $connection->close(); // code will go here that checks if the email and password match and then create a $_SESSION } 
没有评论:
发表评论