🔴 Advanced · Lesson 36
SQL Injection Prevention
SQL Injection Prevention
What is SQL Injection?
SQL injection is when an attacker types SQL into an input to trick your database. It is the #1 database security risk.
The Dangerous Way
// NEVER do this - input glued into SQL
$id = $_GET["id"];
$pdo->query("SELECT * FROM users WHERE id = $id");
// id = "1 OR 1=1" returns ALL users!The Safe Way: Prepared Statements
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$_GET["id"]]);
$user = $stmt->fetch();
// input treated as data only - injection blockedSummary
- Never glue user input directly into SQL.
- Use PDO prepared statements with
?placeholders — input stays data.
SQL Injection क्या है?
SQL injection तब है जब attacker input में SQL type करके आपके database को धोखा देता है। यह #1 database security risk है।
खतरनाक तरीका
// यह कभी न करें - input SQL में जोड़ना
$id = $_GET["id"];
$pdo->query("SELECT * FROM users WHERE id = $id");
// id = "1 OR 1=1" सारे users लौटाता है!Safe तरीका: Prepared Statements
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$_GET["id"]]);
$user = $stmt->fetch();
// input सिर्फ data माना जाता है - injection blockसारांश
- User input को सीधे SQL में कभी न जोड़ें।
- PDO prepared statements
?placeholders के साथ use करें — input data रहता है।