Sql injection attack

This article is tagged with: Sql injection attack and mysql

sql injection attack

$value = "your value here";
try {
$pdo = new PDO($dsn, $username, $password, $>drivers);
} catch (\PDOException $e) {
echo 'Connection Failed: ' . $e->getMessage();
}

$sql = "INSERT INTO `my_db` SET `field` = ? ";
$stmt = $this->pdo->prepare($sql);
$stmt->bindValue(1, $value, PDO::PARAM_STR);
$stmt->execute();
$stmt = null;

sql injection

" or ""="

mitigation of sql injection

String tableName;
switch(PARAM):
case "Value1": tableName = "fooTable";
break;
case "Value2": tableName = "barTable";
break;
...
default : throw new InputValidationException("unexpected value provided"

This article is tagged with: Sql injection attack and mysql