Backend and Infrastructure

Preventing SQL Injection Attacks with Prepared Statements

Sprout Video

Both get_pets() and get_pet() contain an SQL query where one part of it is a variable. Whenever you have this situation, you’re opening yourself up for an SQL injection attack. In this tutorial we'll see how this works by exploiting the security hole, and then fixing it up with prepared statements. Prepared statements let us build a query where the variable parts are kept separate from the rest of the query. This will conclude our work for this section of the site and managing databases.