隐藏来自数据库的PHP URL参数

Question

so I'm a noob to PHP and I am trying to secure my url parameters that use PHP to gain unique pages, and currently they are open to cross site scripting and wondered how I could fix this?

 <?php  if ($result = $link->query("SELECT league_name, role, start_date, 
 end_date, joincode, active
            FROM leagues
            WHERE unique_id='$unique_id'", MYSQLI_USE_RESULT))


            while($row = $result->fetch_assoc()){ ?>
              <tbody>
             <tr>
              <td scope="row" data-label="League Name"><a class="action" href="leagueinfo.php?league_name=<?php echo $row['league_name']; ?>&joincode=<?php echo $row['joincode']; ?>"><?php echo $row['league_name'] ?></a></td>

             </tr>
            <?php }  $result->close(); ?>
          </tbody>
              </table>

              <?php mysqli_close($link); ?>

So I need to find a way to make sure this doesn't happen:

Answer 1

You can use PDO, prepared statements provide a good way of protection against SQL injection: 1. Prepare your query with empty values as placeholders. 2. Bind values to the placeholders. 3. Execute your query.

//PDO
$stmt = $link->prepare("SELECT league_name, role, start_date, end_date, joincode, active FROM leagues WHERE unique_id=:id");
$stmt->bindParam(':id', $id);
$stmt->execute();

Answer 2

There are a few different values that need to be encoded:

• $unique_id should be escaped for MySQL, or the query should be parameterized instead. (See prepared statements .)

• league_name and joincode inside the url should be url encoded, which also happens to remove html special characters. (See rawurlencode )

• league_name in the anchor text should be html encoded (see htmlspecialchars ).