seeking bad/dangerous textbox submission tip.
OK, that title sounds bad if read wrongly.
I have a series of forms and I have regexed them as much as I think is necessary. I would like to know however, if someone would send me a line of code that someone could enter through a text box/textarea, which could show specific data from a db, if security hadn't been added. PM it to me if it is unwise to post publicly.
I am trying to make sure that I haven't leaft a 'door' open to a malicious attack, where I am unable to see there is even the door.
I have regexed out all unnecessary characters from form input and I don't submit it to the db without using placeholders. And I have set permissions on the connection not to allow delete alter or drops. But I can't seem to work out how to prevent an insertion which would allow for a query that outputs db data other than what the form is meant to do.
I want to be sure that someone couldn't, for example, query the db to output either table names or column values.
Any tips or tutorials most welcome.
"The day you stop learning is the day you become obsolete"! - my late Dad.
Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
Useful MySQL resource
Useful MySQL link