Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP PHP & Databases with PDO PDO Database Security Filter Input, Escape Output

Can i see please the code that you have to paste on the url to see the version?

testing

3 Answers

Sean T. Unwin
Sean T. Unwin
28,690 Points

phpinfo.php

An example is if you're using XAMPP, you would type, http://localhost/xampp/phpinfo.php in the address bar.

He is talking about sqlinjection :P

?id=-2%20union%20select%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version(),%20sqlite_version()

In the first part of the modification to avoid Sql Injection id is converted to an integer. Therefor the test at the end is not very impressive, because the intval already takes care of the malicious code. It cannot be executed anymore.

To demonstrate that prepare helps against sql injection the two modifications should be tested one after another and independently of each other.

That would be more convincing. Especially to people that want to save strings to the database. Prepare escapes, thus makes them secure.