PHP Snippet #05
Bookmarked!This challenge covers the review of a snippet of code written in PHP
The Code Review Snippet challenges in this lab provide a small snippet of potentially vulnerable code. You are encouraged to first identify the issues on your own. If you struggle to find the issue or want to learn more, the video explanation will guide you through the process.
In this specific challenge, we analyze a register
function that constructs an SQL query to insert user data into a database. Although the code uses mysql_real_escape_string
to prevent SQL injection, there's a critical issue in how mysql_error
is echoed without HTML escaping, which can lead to cross-site scripting (XSS) attacks. This demonstrates the importance of looking for various types of vulnerabilities, not just those commonly associated with SQL queries.