Preventing SQL Injection Attacks with Prepared Statements

Video loading...

Join Drupalize.Me to watch this video

Join today and gain instant access to our entire video library.

Log in Sign up
  • 0:03
    Preventing SQL Injection Attacks with Prepared Statements
  • 0:05
    with Leanna Pelham
  • 0:09
    Both get_pets and get_pet contain an SQL query
  • 0:13
    where one part of it is a variable.
  • 0:15
    Whenever you have this situation, you're
  • 0:17
    opening yourself up for an SQL injection attack.
  • 0:21
    Want to see one in action?
  • 0:23
    Change the ID value in the URL of your browser
  • 0:25
    to a very specific string.
  • 0:32
    So things look OK.
Loading ...

Preventing SQL Injection Attacks with Prepared Statements

Loading...

Both get_pets() and get_pet() contain an SQL query where one part of it is a variable. Whenever you have this situation, you’re opening yourself up for an SQL injection attack. In this tutorial we'll see how this works by exploiting the security hole, and then fixing it up with prepared statements. Prepared statements let us build a query where the variable parts are kept separate from the rest of the query. This will conclude our work for this section of the site and managing databases.

Downloads: 
Log in or sign up to download companion files.

Additional resources:
There are no resources for this video. If you believe there should be, please contact us.