Just wondering about injecting DROP and other potentially dangerous commands. If we create a new user for the public to use without privileges to do those things, would those injections still pose a security threat?
Using a separate less-privileged user would be the second part of avoiding sql injection which Jeff did not discuss but yes that would also do the job. It doesn't hurt to have both security measures in place. Better than not
With other words what Jeffrey is trying to say... Whatever query you are executing, always use prepared statements, if that query has to accept parameters... Never ever trust user input at all... For a simple "SELECT * FROM users" you wont need prepared statements, because you are not accepting any parameters. That is also the reason why he defaults the "query" method "$params" to an empty array, so that simple queries will also work.
Damn guys you suck at explanations. I don't work with PHP but I assume it works because "execute" applies multiple rules to make sure the query is safe. Like what would be the appropriate value for the "?" spot. Strips any other sql commands after this value was found etc. It does not just insert the string in place of "?"
@@Sir.Azazello You are specifically binding only the id query, any other query's are ignored, the semicolon after the id=2 ends that query and the following query 'drop table users' is not used.
Yes it is an extra sagety layer to use intval() for the id. However, in the future you will not only just get an id from the database, you will also want to search on a user name, or you will even put a new username in the database. Once you come to the point of hundreds different queries, you most likely forget to sanitize the params in one place. Therefore it is best to always split the params from the query string
Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1 in D:\laragon\www\blog\Database.php:14 Stack trace: #0 D:\laragon\www\blog\Database.php(14): PDOStatement->execute() #1 D:\laragon\www\blog\index.php(9): Database->query('select * from p...') #2 {main} thrown in D:\laragon\www\blog\Database.php on line 14 I can't figure it out
I imagine you are a beginner in programming and, even if you are not, here is an excellent tip: Whenever you have doubts about a certain code and/or error, paste it into ChatGPT and see the explanation regarding its functionality or reason. I usually use this structure: =[index.php]==== // code =[Error]========= // error that is being displayed In your case, it would be something like: =[index.php]======= // your code =[Database.php]===== // your code =[Error]=========== Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1 in D:\laragon\www\blog\Database.php:14 Stack trace: #0 D:\laragon\www\blog\Database.php(14): PDOStatement->execute() #1 D:\laragon\www\blog\index.php(9): Database->query('select * from p...') #2 {main} thrown in D:\laragon\www\blog\Database.php on line 14 P.S.: I'm using Google Translate, so I imagine something might be wrong, lol.
i did everything as the same but getting this error if i user the ? or :id method what to do anybody can help? Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ':id' at line 1 in C:\xampp\htdocs\demo\Database.php:17 Stack trace: #0 C:\xampp\htdocs\demo\Database.php(17): PDOStatement->execute() #1 C:\xampp\htdocs\demo\index.php(9): Database->query(Object(PDOStatement), Array) #2 {main} thrown in C:\xampp\htdocs\demo\Database.php on line 17
i changed the query function and now its working is it the right approch public function query($s,$data=null) { $s=$this->connection->prepare($s); $s->execute($data); return $s; }
still can't imagine why u have low number of subscribers, you deserve more
Thank you. We've only in the last few months begun publishing to TH-cam consistently. Before that, it was incredibly rare.
@@Laracastsofficial I definetly owe my love for web developing to u
Thank you Jeff! 🙌🏾 you are such a great instructor man.
Hey, i really enjoyed this as php beginer. massive respect for the instructor, Jeff!
Thanks that is.
Thank you Jeff! You are the best instructor on earth! 🌎
That said, here I am watching the videos directly from Brazil.
Very detail explanation! I mean I know we need to always secure and everything but I also need to know why and how the logic works. Thank you!
Thank you
please create a series in php design patterns
We already have that on laracasts: laracasts.com/series/design-patterns-in-php
Just wondering about injecting DROP and other potentially dangerous commands. If we create a new user for the public to use without privileges to do those things, would those injections still pose a security threat?
Using a separate less-privileged user would be the second part of avoiding sql injection which Jeff did not discuss but yes that would also do the job. It doesn't hurt to have both security measures in place. Better than not
Laracast 🙋♂️
Hi. I couldn't understand why did it work ?. Can you please clarify as we are still passing the same $id value in the execute()
The $id in the execute statement is bound to the question mark aka prepared statements
With other words what Jeffrey is trying to say... Whatever query you are executing, always use prepared statements, if that query has to accept parameters...
Never ever trust user input at all...
For a simple "SELECT * FROM users" you wont need prepared statements, because you are not accepting any parameters. That is also the reason why he defaults the "query" method "$params" to an empty array, so that simple queries will also work.
Damn guys you suck at explanations. I don't work with PHP but I assume it works because "execute" applies multiple rules to make sure the query is safe. Like what would be the appropriate value for the "?" spot. Strips any other sql commands after this value was found etc. It does not just insert the string in place of "?"
@@Sir.Azazello XD
@@Sir.Azazello You are specifically binding only the id query, any other query's are ignored, the semicolon after the id=2 ends that query and the following query 'drop table users' is not used.
👍
Sneaky sneaky 🐌
How about $id = intval($_GET['id']); and then inline it into the query? It looks safe to me, isn't it?
Yes it is an extra sagety layer to use intval() for the id. However, in the future you will not only just get an id from the database, you will also want to search on a user name, or you will even put a new username in the database. Once you come to the point of hundreds different queries, you most likely forget to sanitize the params in one place. Therefore it is best to always split the params from the query string
Yes - but the idea is that you will inevitably forget or miss one. Better to not risk it. No inlining.
Never inline user data into query strings 👍
Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1 in D:\laragon\www\blog\Database.php:14 Stack trace: #0 D:\laragon\www\blog\Database.php(14): PDOStatement->execute() #1 D:\laragon\www\blog\index.php(9): Database->query('select * from p...') #2 {main} thrown in D:\laragon\www\blog\Database.php on line 14
I can't figure it out
I imagine you are a beginner in programming and, even if you are not, here is an excellent tip:
Whenever you have doubts about a certain code and/or error, paste it into ChatGPT and see the explanation regarding its functionality or reason. I usually use this structure:
=[index.php]====
// code
=[Error]=========
// error that is being displayed
In your case, it would be something like:
=[index.php]=======
// your code
=[Database.php]=====
// your code
=[Error]===========
Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1 in D:\laragon\www\blog\Database.php:14 Stack trace: #0 D:\laragon\www\blog\Database.php(14): PDOStatement->execute() #1 D:\laragon\www\blog\index.php(9): Database->query('select * from p...') #2 {main} thrown in D:\laragon\www\blog\Database.php on line 14
P.S.: I'm using Google Translate, so I imagine something might be wrong, lol.
i did everything as the same but getting this error if i user the ? or :id method what to do anybody can help?
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ':id' at line 1 in C:\xampp\htdocs\demo\Database.php:17 Stack trace: #0 C:\xampp\htdocs\demo\Database.php(17): PDOStatement->execute() #1 C:\xampp\htdocs\demo\index.php(9): Database->query(Object(PDOStatement), Array) #2 {main} thrown in C:\xampp\htdocs\demo\Database.php on line 17
i changed the query function and now its working is it the right approch
public function query($s,$data=null)
{
$s=$this->connection->prepare($s);
$s->execute($data);
return $s;
}
@@hassanrezve7269 Where did you use the data variable?