re: Expanding the Snake game to include a Global Scoreboard - Part 1 VIEW POST


If you don't do any string sanitization server-side, it's probably XSS vulnerable. If you want to test try copy-pasting some of the strings on this site into the name-field when you get a highscore:

If you're storing the highscores in an SQL-database, you should be safe from sql-injections as long as you use parameterized queries, I think.


I haven't started testing yet, but this is the code I've got for filtering/sanitizing the one and only user input field:

$name = trim(stripslashes(strip_tags(filter_var($_POST['name'], FILTER_SANITIZE_STRING))));

Thanks for the link - that will be helpful when I do start testing.

Now, parameterized queries - that's something I don't know about yet....

code of conduct - report abuse