57
PHP seCurIty AntI-PAtterns
echo '<tr><th>Post</th><th>Date</th><th>Info</th></tr>';
ec ho '<td>',$value1,'</td>'.'<td>',$value2,'</
td>'.'<td>',$value3,'</td>';
}
Too Many Database Function Calls
e code below is a code pattern to avoid. Code like this is common in tutorials.
ebasic problem with this example is that there are too many holes to plug. ere are
too many SQL statements to protect. e output context, and data content are more
difficult to determine. Code changes become more laborious. ere are just too many
places that output data needs to be filtered and escaped, and so a developer loses control
of security measures.
echo '<h2>Blog List</h2>';
$result = mysql_query('SELECT * FROM Blogs");
if(mysql_num_rows($result)) {
ec ho '<table ...