SQL Injection VS Prepared Statement
DO NOT USED TO DESTROYED
USED FOR KINDNESS
USED IT FOR GOOD.
Use it to help evaluate other people’s security systems
by notifying the system owner of the weakness. Any kind of violation is entirely your responsibility.
SQL INJECTION
SQL Injection is one from many way to attack system data with query manipulation through form or url.
Injection if you know the email target.
Query when execution :
SELECT * FROM user WHERE email=’test@gmail.com’ OR ‘1=1’
AND password=” AND status=’on’
Injection if you didn’t know the email target:
Query when execution :
SELECT * FROM user WHERE email=’’ OR email LIKE ‘%.com%’ OR ‘1=1’ AND password=” AND status=’on’
if you don’t want be a victim from SQL injection, here the solution :
PREPARED STATEMENT
is one of many ways to protect data from SQL Injection.
So, with prepared statements, what is done is the system will execute the query that we have set in such a way, so that if someone does injection it will be treated as plain text.
Example with PDO-PHP
$user = $pdo-> prepare(
“SELECT * FROM user WHERE email = :email AND password = :password”);
$user->execute([‘:email’ => $email,‘:password’ => $password]);
Conclusion
In this article, we learn about how SQL Injection works through form and how to protect form from SQL Injection with Prepared Statement.
Thank you for your time, I hope you like it and look forward to my next story.