SQL Injection VS Prepared Statement

DO NOT USED TO DESTROYED

USED FOR KINDNESS

USED IT FOR GOOD.

Use it to help evaluate other people’s security systems
by notifying the system owner of the weakness. Any kind of violation is entirely your responsibility.

SQL INJECTION

SQL Injection is one from many way to attack system data with query manipulation through form or url.

Injection if you know the email target.

Query when execution :

SELECT * FROM user WHERE email=’test@gmail.com’ OR ‘1=1’
AND password=” AND status=’on’

Injection if you didn’t know the email target:

Query when execution :

SELECT * FROM user WHERE email=’’ OR email LIKE ‘%.com%’ OR ‘1=1’ AND password=” AND status=’on’

if you don’t want be a victim from SQL injection, here the solution :

PREPARED STATEMENT

is one of many ways to protect data from SQL Injection.

So, with prepared statements, what is done is the system will execute the query that we have set in such a way, so that if someone does injection it will be treated as plain text.

Example with PDO-PHP

$user =  $pdo-> prepare(
“SELECT * FROM user WHERE email = :email AND password = :password”);
$user->execute([‘:email’ => $email,‘:password’ => $password]);

Conclusion

In this article, we learn about how SQL Injection works through form and how to protect form from SQL Injection with Prepared Statement.

Thank you for your time, I hope you like it and look forward to my next story.