MySQL + SQL · Lesson 109

SQL Injection and Prevention

What is SQL Injection?

SQL injection is an attack where a hacker types SQL code into an input field to trick the database into running it. It is one of the most common web vulnerabilities.

How it Happens

If a login query is built by joining strings: a user typing ' OR '1'='1 can bypass the password check. The danger is mixing user input directly into SQL.

The Fix: Prepared Statements

// PHP PDO - safe
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$email]);
The ? placeholder keeps user input as data, never as runnable SQL — injection is blocked.

Summary

  • SQL injection runs attacker SQL via input fields.
  • Prevent it with prepared statements / parameterized queries — never glue user input into SQL.
🔗

Share this topic with a friend

यह topic किसी दोस्त को भेजें

Found it useful? Send it to a classmate learning the same thing.

अच्छा लगा? जो दोस्त यही सीख रहा है, उसे भेज दीजिए।

WhatsApp