nijjwal · March 31, 2015 10:12
diff --git a/sqlinjection-prevention.php b/sqlinjection-prevention.php
 <?php

 require 'pdo.php';

 //1. Create an instance of connection
 //$pdo_obj = new Connection();


 //2. Connect to the server + db
 try
 {
 	$connection = connect();
 }catch(Exception $e){
 	echo $e->getMessage();
 }

 //3. Imagine that you are getting input from user
 //We will use this string for injecting vulnerable code
 $email = "[email protected]";
 $id = "2";



 //4. Prepare sql query 
 $sql = "SELECT * FROM USER WHERE email = ? AND id = ?";
 //$sql = "SELECT * FROM USER Where id =:id";

 echo $sql;


 //5. Prepare, bindParam, execute, and display
 	$stmt = $connection->prepare($sql);

 	//1 and 2 refer to the parameter number in the sql query
 	//http://php.net/manual/en/pdostatement.bindvalue.php
 	$stmt->bindValue(1, $email, PDO::PARAM_STR);
 	$stmt->bindValue(2, $id, PDO::PARAM_INT);


 	$stmt->execute();
 	$arrValues = $stmt->fetchAll(PDO::FETCH_ASSOC);
 	var_dump($arrValues);

 	//If the db returns some result
 	if($arrValues)
 	{
 		echo "<table border='1px'>\n";
 	
 			echo "<tr>\n";
 			foreach ($arrValues[0] as $key => $useless){
 			    echo "<td>$key</td>";
 			}
 			echo "</tr>\n";

 			//display data
 			foreach($arrValues as $rows)
 			{
 				echo "<tr>";
 					foreach($rows as $key=>$value)
 					{
 						echo "<td>".$value."</td>";
 					}
 				echo "</tr>";
 			}

 		echo "</table>";
 	}
 	else
 	{
 		echo "<br/>No results were found!";
 	}

 	$connection = null;

 	

 ?>
	<?php

	require 'pdo.php';

	//1. Create an instance of connection
	//$pdo_obj = new Connection();


	//2. Connect to the server + db
	try
	{
	$connection = connect();
	}catch(Exception $e){
	echo $e->getMessage();
	}

	//3. Imagine that you are getting input from user
	//We will use this string for injecting vulnerable code
	$email = "[email protected]";
	$id = "2";



	//4. Prepare sql query
	$sql = "SELECT * FROM USER WHERE email = ? AND id = ?";
	//$sql = "SELECT * FROM USER Where id =:id";

	echo $sql;


	//5. Prepare, bindParam, execute, and display
	$stmt = $connection->prepare($sql);

	//1 and 2 refer to the parameter number in the sql query
	//http://php.net/manual/en/pdostatement.bindvalue.php
	$stmt->bindValue(1, $email, PDO::PARAM_STR);
	$stmt->bindValue(2, $id, PDO::PARAM_INT);


	$stmt->execute();
	$arrValues = $stmt->fetchAll(PDO::FETCH_ASSOC);
	var_dump($arrValues);

	//If the db returns some result
	if($arrValues)
	{
	echo "<table border='1px'>\n";

	echo "<tr>\n";
	foreach ($arrValues[0] as $key => $useless){
	echo "<td>$key</td>";
	}
	echo "</tr>\n";

	//display data
	foreach($arrValues as $rows)
	{
	echo "<tr>";
	foreach($rows as $key=>$value)
	{
	echo "<td>".$value."</td>";
	}
	echo "</tr>";
	}

	echo "</table>";
	}
	else
	{
	echo "<br/>No results were found!";
	}

	$connection = null;



	?>