0
0
PHPprogramming~5 mins

How SQL injection exploits unsafe queries in PHP - Quick Revision & Summary

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Recall & Review
beginner
What is SQL injection?
SQL injection is a security attack where a bad user adds harmful SQL code into a query to trick the database into doing things it shouldn't, like giving secret data or changing information.
Click to reveal answer
beginner
Why are unsafe SQL queries vulnerable to injection?
Unsafe queries mix user input directly into SQL commands without checking or cleaning it. This lets attackers add extra commands that the database runs, causing harm.
Click to reveal answer
beginner
Example of unsafe PHP SQL query using user input
In PHP, writing: <br> $query = "SELECT * FROM users WHERE name = '" . $_GET['name'] . "'"; <br> is unsafe because the user can add SQL code inside the 'name' input.
Click to reveal answer
intermediate
How does an attacker exploit an unsafe query?
The attacker types SQL code into input fields. For example, entering ' OR '1'='1' can change the query to always be true, showing all data instead of just one user.
Click to reveal answer
beginner
What is a simple way to prevent SQL injection in PHP?
Use prepared statements with placeholders. This keeps user input separate from SQL code, so the database treats it only as data, not commands.
Click to reveal answer
What does SQL injection allow an attacker to do?
AEncrypt user passwords automatically
BSpeed up database queries
CRun harmful SQL commands through user input
DBackup the database safely
Which PHP code is unsafe and vulnerable to SQL injection?
A$query = "SELECT * FROM users WHERE name = '" . $_GET['name'] . "'";
BEscaping user input properly
CUsing prepared statements with bind parameters
D$query = "SELECT * FROM users WHERE id = ?";
What is a common sign of an SQL injection attack in a query?
AUser input contains SQL keywords like OR or --
BQuery runs faster than usual
CDatabase connection fails
DUser input is empty
How do prepared statements help prevent SQL injection?
AThey speed up the database server
BThey delete harmful data automatically
CThey encrypt the database
DThey separate SQL code from user data
Which of these is NOT a good practice to avoid SQL injection?
AUsing prepared statements
BDirectly inserting user input into SQL queries
CValidating and sanitizing user input
DLimiting database user permissions
Explain in your own words how SQL injection exploits unsafe queries.
Think about how mixing user input and SQL code can be dangerous.
You got /4 concepts.
    Describe a simple PHP example of an unsafe SQL query and how it can be fixed.
    Focus on how user input is included in the query.
    You got /4 concepts.