First, $email = filter_input(INPUT_GET, ’email’); does nothing it’s the same as $email = filter_input(INPUT_GET, ’email’, FILTER_DEFAULT);, and FILTER_DEFAULT is documented as “do nothing”. Second, PDO’s Query function does appear to support multiple statements (albeit in a rather annoying to use manner, and I can’t say I’ve personally played with it). PHP PDO multiple select query … Read more
The correct way to avoid SQL injection attacks, no matter which database you use, is to separate the data from SQL, so that data stays data and will never be interpreted as commands by the SQL parser. It is possible to create an SQL statement with correctly formatted data parts, but if you don’t fully … Read more
As you’re in your own words a noob there’s no time like the present to pick up some good habits 🙂 $email = $_POST[’email’]; $sql=”INSERT INTO users (email) VALUES (‘$email’)”; is a textbook example of an SQL injection vulnerability, and this code will bite you sooner or later. The reason is that you trust the … Read more
Many a great thing can be performed: Destruction: put *’ or 1 = 1; drop table Creds — into textBox1.Text and the query will be select * from Creds where Username=”*” or 1 = 1; drop table Creds — and Password=” you have two queries; the second one drops creds table Deletion: put *’ or … Read more
The correct way to avoid SQL injection attacks, no matter which database you use, is to separate the data from SQL, so that data stays data and will never be interpreted as commands by the SQL parser. It is possible to create an SQL statement with correctly formatted data parts, but if you don’t fully … Read more