SQL INJECTION
Preventing SQLi
- Filters can be bypassed.
- Use a blacklist of commands? Still can be bypassed.
- Use whitelist? Same issue.
-> Use parameterized statements, separate data from SQL code.
<?php //$textbox1 = admin' union select # Select * from accounts where username = '$textbox1' //Bad Sample: Select * from accounts where username = 'admin' union select #' Safe: ->prepare(Select * from accounts where username = ?") ->execute(array('$textbox1')) //prepare(Select * from accounts where username = "'admin' union select #'") //execute(array('admin' union select #')) ?>