How to Prevent SQL Injections Using PHP

today we're going to talk about something called SQL injection and how to prevent it from happening to our website now if you're not familiar with SQL injection essentially what it is is when you go to a website that has a database connected to it and go in and find any kind of input field like a lock-in system and then you write SQL code inside the input field and because the input is connected to a database when we do actually hit the submit button we can actually run code inside the websites database without actually being the person who made the website so if I wanted to and i found a website that was prone to SQL injection I could essentially go in and destroy the database or extract use information which means that i now have the password and username of every single user inside the website so we need to prevent this from happening to our website which is why I'm going to teach you guys how to do it as well as how to protect from it because you need to understand what goes into SQL injection in order to protect from it so for the past couple episodes we've been making this comment section that does actually have a login system so we're going to take this example to show you guys how to login into this comment section without actually knowing the right password of this user here and then afterwards I'm going to teach you guys how to protect from this now is essentially two ways i want to show you guys how to check from it and one of them is by using PHP function and the second method is by using something called prepared statements it won't do that to the next episode so that's actually going to take this website here as you guys can see I have a look and feel that the very top him just consumed and you guys can see and right now we have a musical admin if I do actually go into the database you guys can see other users I have to users i have admin and I have Daniel and the password is 1234 both of them if i go back to the website i can essentially going to say ok well we might guess that those user called Edmund inside this website so I'm just going to go and keep username is admin for now and if I tried to lock in just to show you guys one two three fuckin it now says you're locked in as at me so if a lock out again go back up to the input field make sure it says admin because that's one of the users go into the password field and type single quote space or spaced single quote one single quote equal single quote one lock in and now says you're locked in as admin even though we did not type in the right password so i just s-curl injected a very basic SQL command inside the password field now if you don't understand what you just did I can show you guys if you actually go ahead and open about code here if i go into my comments that into PHP file where we do have the login function for website right here you guys can see we have a SQL statement in here that we sent to the database and execute it now inside our select statement I'm just going to go ahead and retype what I just typed into the comment field or into the the password field and replace it with dollar sign PWD which is actually a variable we get when we travel log in inside the password so if I spit in what I just typed which was single quote or 1 equals 1 you can now see that we have a condition that says well password needs to be equal to whatever is in here which is right now empty or one needs to be equal to 1 so as long as we have the username and one of these two statements are true who will actually get locked in and since 1 is equal to 1 we get locked in and all the single course that apt in dust actually match up with closing off out you know PWD statement here or the water column name and we have our opening and closing tags for the next eight weeks into ourselves so this is a problem because people can essentially go to a website here and hack it we can even destroy the entire database by typing something into a password area if I do actually you know choose to not just lock in but actually go ahead and close off my statement here and then write another Isco statement right behind it that actually goes in and drops my entire database all the tables inside my database then it will ruin my database so we need to know how to protect from this and you can actually do that directly inside what we do have our good luck and function here so when you two actually have a lot in field you know what these two fields up here we need to make sure we take this data sent to our function that locks in that we escaped the necessary characters dad is seen as SQL when it's sent to the database what i mean by that is that we do is have special characters that are used in SQL that we can escape which means that is now seen as regular characters and artists code anymore so we do that I'm just going to go back here is we're going to take our username and password which are up here these are want to pass down into our select statement and we're going to go to include a PHP function inside of it so i'm going to write my SQL I on the school real on the score escape on the score string parentheses I'm going to take my you know post method and put it inside the parentheses now we need another parameter inside the parentheses which is the connection to the database so I'm just going to go and copy my variable con which is my connection set it as our first parameter and there we have it so now i can assume some just go ahead and copy paste this down here and just change the post method to PWD and that's all we have to do this right here is enough for some people to SQL protect you know SQL inject protect a website but let's say I have a select statement where I can also change the table name by making it dynamic so it's not fixed it's not used anymore it's actually you know variable table or something and we can actually change it then this would not be enough we would actually need to do what's called a prepared statement to protect from it okay but we're going to talk about that in the next episode for now this Expo and save this go back to your website lockout because actually locked in even though we shouldn't be and let's actually try to run that run that SQL statement again which was no single quote or one equals one back in and as you guys can see you are not locked in so right now is just protect against an SQL attack from our you know rockenfield the same thing when we scroll down into our comment section just to show you guys when i'm actually locked in we can actually comment down here if i were to type the very same thing you know inside here we could essentially also go into stuff to the database in here so we want to make sure we do that to the comment field as well which you guys can see inside our functions here if i were to set comments we do have three variables that we get passed on by a post method to our function here dost also need to be escaped okay so every single time you pass something that a user or you know any kind of person can go into website type in sent to a function that connects to the database you need to escape the characters ok so that's how we can protect against it with their small PSP statement or PHP function called my school I real escape string in the next episode we'll talk about prepared statements so for this episode of hope you guys enjoyed and I'll see you guys next time