0
0
PHPprogramming~20 mins

Preventing injection with prepared statements in PHP - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Prepared Statements Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Predict Output
intermediate
2:00remaining
Output of prepared statement execution
What will be the output of this PHP code snippet when executed successfully?
PHP
<?php
$pdo = new PDO('sqlite::memory:');
$pdo->exec('CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)');
$stmt = $pdo->prepare('INSERT INTO users (name) VALUES (:name)');
$stmt->execute([':name' => 'Alice']);
$stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
$stmt->execute([':id' => 1]);
$result = $stmt->fetchColumn();
echo $result;
?>
AAlice
B1
CNULL
DPDOException
Attempts:
2 left
💡 Hint
Look at what value is inserted and then selected by id.
🧠 Conceptual
intermediate
1:30remaining
Why use prepared statements?
Which of the following best explains why prepared statements help prevent SQL injection?
AThey run queries faster by caching the entire database.
BThey automatically encrypt all user inputs before running the query.
CThey separate SQL code from data, so user input cannot change the SQL structure.
DThey allow users to write raw SQL directly without restrictions.
Attempts:
2 left
💡 Hint
Think about how user input is handled differently with prepared statements.
🔧 Debug
advanced
2:00remaining
Identify the error in prepared statement usage
What error will this PHP code produce when executed?
PHP
<?php
$pdo = new PDO('sqlite::memory:');
$pdo->exec('CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)');
$stmt = $pdo->prepare('INSERT INTO users (name) VALUES (?)');
$stmt->execute(['name' => 'Bob']);
?>
ATypeError: execute() expects array with numeric keys
BNo error, inserts 'Bob' successfully
CSyntaxError: Missing colon in parameter
DPDOException: SQLSTATE[HY093]: Invalid parameter number
Attempts:
2 left
💡 Hint
Check how parameters are passed for positional placeholders.
📝 Syntax
advanced
1:30remaining
Correct syntax for named placeholders
Which option shows the correct way to prepare and execute a statement with named placeholders in PHP PDO?
A
$stmt = $pdo-&gt;prepare('SELECT * FROM users WHERE name = :name');
$stmt-&gt;execute([':name' =&gt; 'Eve']);
B
$stmt = $pdo-&gt;prepare('SELECT * FROM users WHERE name = name');
$stmt-&gt;execute([':name' =&gt; 'Eve']);
C
$stmt = $pdo-&gt;prepare('SELECT * FROM users WHERE name = ?');
$stmt-&gt;execute([':name' =&gt; 'Eve']);
D
$stmt = $pdo-&gt;prepare('SELECT * FROM users WHERE name = :name');
$stmt-&gt;execute(['name' =&gt; 'Eve']);
Attempts:
2 left
💡 Hint
Named placeholders require the colon in the execute array keys.
🚀 Application
expert
3:00remaining
Preventing injection in dynamic queries
You want to select users by either 'id' or 'email' depending on user input. Which code snippet safely uses prepared statements to prevent SQL injection?
A
&lt;?php
$stmt = $pdo-&gt;prepare("SELECT * FROM users WHERE $filter = :value");
$stmt-&gt;execute([':value' =&gt; $input]);
?&gt;
B
&lt;?php
if ($filter == 'id') {
  $stmt = $pdo-&gt;prepare('SELECT * FROM users WHERE id = :value');
} else {
  $stmt = $pdo-&gt;prepare('SELECT * FROM users WHERE email = :value');
}
$stmt-&gt;execute([':value' =&gt; $input]);
?&gt;
C
&lt;?php
$stmt = $pdo-&gt;prepare('SELECT * FROM users WHERE id = :id OR email = :email');
$stmt-&gt;execute([':id' =&gt; $input, ':email' =&gt; $input]);
?&gt;
D
&lt;?php
$stmt = $pdo-&gt;prepare('SELECT * FROM users WHERE id = ? OR email = ?');
$stmt-&gt;execute([$filter, $input]);
?&gt;
Attempts:
2 left
💡 Hint
Think about how to avoid injecting the column name directly from user input.