geneowak's avatar

geneowak liked a comment+100 XP

1w ago

Download all

I'd honestly just prefer not to. Some other sites don't allow you to download videos at all.

geneowak's avatar

geneowak liked a comment+100 XP

2w ago

PHP For Beginners: Ep 20, SQL Injection Vulnerabilities Explained

@artourzy I completely agree. However, after doing some research, I think I understand it now - see below.

When you send a query to the SQL Server using the prepare() method, it is treated as executable SQL code by the SQL Server and is parsed accordingly (technically, what is sent is a template, but let's ignore that for now). In the received query, any unspecified parameter values (denoted by placeholders like '?' or ':id', for example) are noted by the SQL Server and expected to be provided later. So, after parsing the query, the SQL Server "understands" what it has to do, and it is prepared to perform the required operations, awaiting only the input of the missing "dumb" parameter values.

Therefore, when you provide the parameter values using the execute() method, the SQL Server does NOT re-parse the received data as SQL code. Instead, those values will be treated as strings and will be used for the parameters in the already prepared operations. For example, if you pass 'DROP TABLE users' as a parameter value, it will be treated as a "dumb" series of characters, nothing more. It will not be re-interpreted or executed as SQL code or a series of commands.

This ensures any user input is handled safely as "dumb data", preventing it from being executed as SQL code.

I recommend these articles: https://www.w3schools.com/php/php_mysql_prepared_statements.asp https://www.php.net/manual/en/pdo.prepare.php https://www.php.net/manual/en/pdostatement.execute.php