Post12: Database driven website risk

Last week was filled with midterm exams except for the PHP class when we had PHP Questions Contest, and it was a review about what we had covered in the class. The huge similarity between JavaScript and PHP makes the essential skills easy to master and implement. Moving into using Classes and Objects for communicating with the database makes PHP language stands out. As I mentioned before, using PDO to communicate with the database makes our web application cross platform that works with any type of database (SQL Server, Oracle, or MySQL).

In dealing with database driven websites, SQL Injection is considered one of the most dangerous risks that can threaten our data. For that reason, we need to look at this factor we receive the user input and try to insert it into a table.

Ex:

If we have a PHP variable called $name, this variable is in charge of getting the value from the full name input element in contact us form:

$name=$_GET[“FullName”];

User can write a SQL statement that affects tables in our database, for example, the value of FullName input field could be: drop table…

So we can avoid this problem by using PDO::prepare