Today, I had a small, but funny conversation with a person I knew from my education (application developing).

He suddenly asked, how to prevent using HTML-Tags in PHP.

So I send ihm following line:

$string = str_replace(array("<", ">"), array("&lt;", "&gt;"), $string);

Shortly after the line, he asked, how to add this into his query, which looks like:

$query = "INSERT INTO comments (name, email, quote, hinzugefuegt, ip_adress) VALUES ('" . $_POST['vName'] . "', '" . $_POST['eMail'] . "', '" . $_POST['q17'] . "', NOW(), '" . $_SERVER['REMOTE_ADDR'] . "')";

Now I thought: "Well, he don't even secure his variables", and I posted a Pastebin, which only "fixes" his issue with replacing the HTML-Tags, but still allows SQL injection.


Maybe I'm a bad person, but he doesn't deserve it otherwise, because when I was still in education with him, I told him, he should learn to use prepared statements.

Add Comment