Bugs? In my PHP? It's more likely than you think
There is only one line that has a vuln, correct it. The output does not have to be valid XHTML and assume that a mysql connection has been made already.
There is a bug as well as a vuln. You MUST fix both.
Here is the script:
We're sick of getting bug reports saying <?= ... ?> isn't valid php syntax. If you don't believe us, consult the first page of the php.net language reference.
- This script uses PHP function mysql_real_escape_string() to avoid SQL Injection attack. It's correct.
- But don't forget that the textarea often suffers from XSS attack and mysql_real_escape_string() does bot escape % and _.
- So, you need use PHP function htmlspecialchars() to convert special characters to HTML entities.
- Another problem is that the method of HTML form does not match with the PHP $_POST function.
- So, input the HTML code below and check.
< form name="grezvahfvfnjuvavatovgpu" action="< ?=htmlspecialchars($_SERVER['PHP_SELF'])?>" method="post">
- It's done!