function __construct() { //The xml file is in its insecure default location. //We would normally have all referenced libraries outside of the webroot. $this->esapi = new ESAPI('../owasp-esapi-php-read-only/test/testresources/ESAPI.xml'); ESAPI::setEncoder(new DefaultEncoder()); ESAPI::setValidator(new DefaultValidator()); $this->encoder = ESAPI::getEncoder(); $this->validator = ESAPI::getValidator(); }
AUTHORS SPECIFICALLY DISCLAIM ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND AUTHORS HAVE NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.*/ $tainted = $_SESSION['UserData']; $ESAPI = new ESAPI(); ESAPI::setEncoder(new DefaultEncoder()); ESAPI::setValidator(new DefaultValidator()); //verifying the data with ESAPI if ($ESAPI->validator->isValidNumber("Course ID", $tainted, 18, 25, false)) { $tainted = $tainted; } else { $tainted = 0; //default value } $query = "SELECT * FROM COURSE WHERE id=?"; $conn = mysql_connect('localhost', 'mysql_user', 'mysql_password'); //Connection to the database (address, user, password) $stmt = $conn->prepare($query); $stmt->bind_param("i", $checked_data); $stmt->execute(); mysql_close($conn);