<?php declare(strict_types=1); echo "setup begin\n"; $pdo = new PDO('sqlite::memory:'); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $pdo->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC); $user_table = 'CREATE TABLE user ( user_id INTEGER NOT NULL, email TEXT NOT NULL, PRIMARY KEY (user_id), UNIQUE (email) )'; $pdo->exec($user_table); $select_stmt = $pdo->prepare('SELECT * FROM user'); $insert_stmt = $pdo->prepare('INSERT INTO user (email) VALUES (?)'); $_POST['email'] = 'bobby@tables.com'; echo "setup end\n\n"; echo "validate email & prepared statement begin\n"; $email = filter_var($_POST['email'] ?? false, FILTER_VALIDATE_EMAIL); if ($email === false) { throw new InvalidArgumentException(); } $insert_stmt->execute([$email]); $select_stmt->execute(); var_dump($select_stmt->fetchAll()); echo "validate email & prepared statement end\n\n"; echo "prepared statement handles injection begin\n"; $email = "'little_bobby@tables.com'); DROP TABLE user; --"; $insert_stmt->execute([$email]); $select_stmt->execute(); var_dump($select_stmt->fetchAll()); echo "prepared statement handles injection end\n\n"; echo "string query fails injection begin\n"; $email = "'little_bobby@tables.com'); DROP TABLE user; --"; $pdo->exec("INSERT INTO user (email) VALUES ({$email})"); $select_stmt->execute(); var_dump($select_stmt->fetchAll()); echo "string query fails injection end\n\n";
You have javascript disabled. You will not be able to edit any code.