In my years of experience with web development, I finally see that someone shows a practical example of why not using prepared statements is a bad idea. Without too much talking, right to the point. You might say "oh, but there are countless tutorials out there" - not a lot of them are understandable enough. Stop talking so much, show me a proof of concept and off we go. This is one of them - practical examples, no fuss. If developers were to stick to the point and show proofs of concept, they could rake in thousands for their tutorials. This is underrated.
This was extremely comprehensive and useful. A lot of tutorials just assume that stuff will work, but this actually goes into the stuff that could go wrong and why.
Every time I re-watch this video, I am stunned by your dexterity, Gio. Thanks. Many points you made addressed issues that have long repeatedly hurt me. I appreciate
This was extremely informative and useful. I know how to parameterize queries in c# and python, and was surprised at how different It is to do in php. This very clearly explains a lot and I love the injection example. This video allowed me to go from the unsecured stone age of regex-replace to something Secure I can be happy with.
Copied some prepared statements in my small procedural php application. Knew that it helped with something called SQL injection but I didn't understand it. Then, I didn't know about the named arguments. I had question marks (?) all over the place. I was having to count them to be sure I had enough when things didn't work. Wow. This is a lot to take in. Even my computer knows that I'm learn many new things 😂. I want to watch again and again, but since I'm close to the end of section 2, I'm going to move on. I'll be back! (Terminator voice). Thanks Gio
GIO are you a teacher? A wonderfully organized lesson with essential material! Again, great explanation of PDO connection and setup via Docker :) Recommended!
You're awesome! I've just commented here about a tiny typo, when using date you put it to "Y-m-d H:m:s", but minutes are not `m`, this will write the month. it is `i` as u know. Thank you very much again.
A very detailed in-depth explanation. Besides php documentation is there any other resource that would help to grasp all these concepts at such an in-depth level? Thank you in advance !!
I found your channel yesterday and it seems great! Are your actual videos sufficient to get started with Laravel (if I watch all and code until the last one)? Also amazing work!!
Thank you. You could get started with Laravel even without watching my lessons, Laravel is just that awesome :). That being said though, watching these lessons will definitely help you understand Laravel better & make it easier to understand some of that hidden magic. And that applies to any other framework, not just Laravel. If I was starting out & had the time, I would first learn PHP & MVC, then move on to Laravel. This is one of the reasons why I am putting so much time into this series, I started it about 8 months ago & still going. I want to make sure that important details & topics are covered.
Hey, your courses are really informative. Thanks Question: do you have any public plan what will be in later course lessons or when will start third part (advanced) and what will cover it?
Hello, yes in the first video of the course you can see the overview of the topics for all three sections. There are just one or two more videos left for the 2nd section and then we'll begin the third, I am going to make another overview video that will explain what to expect in the 3rd section.
Wonderful revelations, for me. You demystified a lot for me today. Please, in this series, try out the SELECT A, B WHERE Match(A,B) Against("GIO PDO") Clause with PDO in searching the database. I have been struggling with it. Can't get it to work for me!
@@ProgramWithGio Mystery errors, yes. Bottom line binding parameters for execution is near impossible! 1) I enter a string in the Search field. 2) Sanitize the string. 3) Seek results by searching two or more database columns/fields indexed for FULLTEXT Search. 4) Binding Parameters right in the Match () Against () WHERE clause is impossible with PDO. If you would permit me, I would send you my code, and errors screenshots. Maybe, you would spot what I am doing wrong! The Queries run easily in PHPMyAdmin environment directly in the Database.
@@NedumEze yea send it to me if you can and I'll take a look. I personally haven't used match/against much, but I would be happy to take a look and see if I can spot something. Try disabling emulated prepares and see if that helps, I know that you can't use placeholders in some statements like with LIMIT for example when emulated prepares are enabled, so might be the same issue
@@ProgramWithGio Here's my email: adolfce@gmail.com. Use it to give me yours, so that I can send you the Code, please. Emulation is disabled, right in my Constructor, in the options array.
One does by reference, other by value. I don't use bindParam much, to me it's harder to read and understand what's going on given that it is by reference, so I stick to bindValue.
4:41 Gio, when you use "db" as your hostname it has to be resolved to an actual IP address when the script runs, doesn't it? I wonder what the actual IP would be in this case.
Why is the database recording the time as 21:07:00 rather than 21:00:00 as listed in the date(strtotime()) function? I know it isn't a core concept of the video, but I am curious. Great videos by the way. They are a little fast paced for me but I realize others may be more familiar with all of the concepts and therefore appreciate the fast pace while someone such as myself has the opportunity to pause, rewind, or watch the entire video again.
Thank you. That is because I have a typo there in the date format, I use H:m:s it should be H:i:s (m) is for month so 7 is the month # because its July. I pointed out the typo at 15:03 on the left corner. About the pace yea I heard from few others that it's a bit fast for which I apologize, I try to slow down as much as I can but it's just the way I tend to speak seems like :). Will surely improve on that. One thing that has helped others is adjusting the playback speed on TH-cam to slow it down.
In your fetch method. So $pdo->fetchAll(PDO::FETCH_CLASS, YourClass::class). You can also use setFetchMode to fetch the mode to class like this: $stmt->setFetchMode(PDO::FETCH_CLASS, YourClass::class);
Depends on the project & scope. Php 8.1 will no longer strigify the integers & floats which it was before when using emulated prepares so even with emulated prepares it should return integers & floats as their native types instead of strings.
MySQL on my host machine (Ubuntu 20.04) is running on port 3306, and our container is also running on Port 3306. So, will there be a port conflict or not?
For drivers that don't natively support prepared statements yes. This is the note in the official documentation: "Some drivers do not support prepared statements natively or have limited support for them. If set to true PDO will always emulate prepared statements, otherwise PDO will attempt to use native prepared statements. In case the driver cannot successfully prepare the current query, PDO will always fall back to emulating the prepared statement."
Hi Gio, When I run query to database it's throwing error like the one below, Could you help me please? PDOException: SQLSTATE[42S02]: Base table or view not found: 1146 Table 'my_db.users' doesn't exist in /var/www/public/index.php:13 Stack trace: #0 /var/www/public/index.php(13): PDO->query('SELECT * FROM u...') #1 {main}
If emulated prepares are slower and return types as string instead of int and floats why would you use them even in Development? when return types could be important in your application when you're expecting a return type int for example.
I didn't say it's slower, I said "possible performance boost", that boost is probably very negligible. There are uses for emulated prepares but I personally try to disable them when I can and use native ones.
hello, please how to use prepared statement for embedded statement , like select from ... where param1 = ? and param2 in (select from where param3 = ? ) . Is this possible? thanks a lot
@@ProgramWithGio now i have it. When you have a variable for example $sports = ["soccer", "bball"]; and you try something like , select ... where sport in $sports; and i tried to parametize $sports, it didn't work. Questions are: 1- is that a vulnerable code 2- how to parametize it
Hey, would anyone happen to know how to use the PDO class with XAMPP to a remote Microsoft SQL Server/Database? I've tried a lot of different methods over the past few days with no luck.
I'm not sure I understand what you are trying to do. You want to connect to remote Microsoft SQL DB using PDO? You can use SQLSRV DSN, check this part in the docs www.php.net/manual/en/ref.pdo-sqlsrv.connection.php
Hello all. One question if someone can help. I am using a newer version of docker where "docker-compose" command is replaced with "docker compose". However, everything is fine, but I can't make PDO mysql extension to install. I followed this lesson and replaced the docker command as above, but it simply don't install: docker compose up -d --build [+] Building 0.0s (0/0) docker:default please specify build context (e.g. "." for the current directory)
I am still a bit confused at how using binding or any other method of constructing a statement helps sanitize user input data and protect from injection. Can someone help explain this or direct me to a better explanation?
It's not about sanitizing, using prepared statements handles the proper escaping for you to prevent sql injections. You can read about prepared statements in MySQL, just Google it and plenty of articles will come up or even the official docs.
thanks again for the amazing video! by the way, is using PDO:FETCH_CLASS to do database object map to my own defined class object a recommended way? is it too slow, etc.
I wouldn't worry about performance much. It should be fine, that's how ORMs work. If you prefer to work with objects instead of arrays & keys then yes that's what you would use to directly hydrate your own objects. Another way is to hydrate objects yourself
thanks lot, very helpful material. I've tested the emulated prepares, but nothing is any different from when they are disabled (I got the output of the SELECT query with integers values, and I could use the same name for three named parameters where one is in the LIMIT clause) ****CODE I wrote****
PDO falls back to emulated prepares if it cant prepare natively, so that's probably why you don't see difference. Did you try disabling the emulated prepares? Cause I don't see emulated prepares disabled in above code.
You know what therr are languages from 60s and 70s and didn't die yet .. But imagine when taking about the language thag runs more than 40% of thd web ? .. It's an entire language for the web development not just a framework like django or node anf while some node kids make fun of it we earn money using it .. And it also has very powerful updates Even the key advantage of node against php is gone LOL now there is a library called guzzle which can make php async like node js
@@ProgramWithGio the capacity of this dinosaur or mastodon, with respect to its experienced code for security domains, the speed that has been increased with JIT, and the options of synchronization in real time as you indicated or ReactPHP, make it a powerful language .....
why use root for the app. you loose all kinds of features dealing with grants on tables and views. better is to have a dba role (ie root) and a different user that has rights on the database objects.
15:46 explains that SQL injections are bad, then proceeds to add one just in case. And here I thought that people finally started writing secure PHP code in 2022. Nope, 15 years later (since I started) everything is the same.
Check beginning of part 2. I explain it there. I should've removed this part from the recording but decided to leave it in and address it in part 2. It's not SQL injection but I agree it should be using params instead of putting in integer value in the query.
Bro, at timestamp 12:16, the SQL injection worked in your example because the code for query string is delimited by a single quotes. But when i used double quotes the SQL injection does not work and nothing is returned.
Then you need to use double quote in query as well and it will work. The point is you don't know what user might submit, they can brute force it & submit various strings formatted in different ways
Every Time I use $GET_[ '..' ] or $_POST[ '..' ] I encounter a error of Undefined array key and I solved the error for POST using isset but I cannot solve GET with isset for eg if(isset($_GET['email'])) { $email = $_GET['email']; } I'm getting error saying Undefined variable $email but if I use $email = $_GET['email']; then ' Undefined array key "email" ' this error is displayed PS: I'm using php 8.1.4
Because if email isn't set then variable email never gets defined. You should define email variable before if statement and assign to blank value for example or add the else statement and set email to blank there or whatever logic you want to do when email isn't set. Other option: $email = $_GET['email'] ?? '';
Fatal error: Uncaught PDOException: SQLSTATE[HY000] [1049] Unknown database 'my_db' in /var/www/app/DB.php:31 Stack trace: #0 /var/www/app/App.php(15): App\DB->__construct(Array) #1 /var/www/public/index.php(26): App\App->__construct(Object(App\Router), Array, Object(App\Config)) #2 {main} thrown in /var/www/app/DB.php on line 31 I had error i created BD name by my_db, but it is error how can i solve
@@danielmung9600 check your connection configuration, the error says there is no DB so probably wrong connection or something, maybe typo in DB name? I haven't used Mac so I'm not sure if there is any other configuration involved
In my years of experience with web development, I finally see that someone shows a practical example of why not using prepared statements is a bad idea. Without too much talking, right to the point.
You might say "oh, but there are countless tutorials out there" - not a lot of them are understandable enough. Stop talking so much, show me a proof of concept and off we go. This is one of them - practical examples, no fuss. If developers were to stick to the point and show proofs of concept, they could rake in thousands for their tutorials.
This is underrated.
Thank you so much 🙏
This was extremely comprehensive and useful. A lot of tutorials just assume that stuff will work, but this actually goes into the stuff that could go wrong and why.
Happy to hear that, thank you
This PHP course is the BEST around without any shadow of doubt!!!
Thank you 🙏
So far, the best explanation and demonstration of the sql injection mechanism.
Thank you 🙌
The first video I've come across that really shows what query injection is and why it's dangerous
Glad you like it, thank you
Great example of SQL injection and the use of PHP PDO overall. I did not know about ATTR_EMULATE_PREPARES, that's really good stuff
Jedan od najboljih pojasnjenja PHP PDO-a
Thank you
Every time I re-watch this video, I am stunned by your dexterity, Gio. Thanks. Many points you made addressed issues that have long repeatedly hurt me. I appreciate
Really glad to hear that. Thank you Adolf 🙌
Enjoyed it every video you have made in this series, the way you have explained its rare in many tutorial.
Love you brother ❤️❤️❤️
Thank you so much ❤️❤️❤️
Everything in this course is GREAT 😎
Thank you 💙
This channel helped me improve my skills drastically. Thanks!
Happy to hear this 💙
This was extremely informative and useful. I know how to parameterize queries in c# and python, and was surprised at how different It is to do in php. This very clearly explains a lot and I love the injection example. This video allowed me to go from the unsecured stone age of regex-replace to something Secure I can be happy with.
Glad it was helpful, thank you 💙
Awesome series, haven’t seen anyone like you. Keep it up :)
Thank you 🙌
Copied some prepared statements in my small procedural php application. Knew that it helped with something called SQL injection but I didn't understand it. Then, I didn't know about the named arguments. I had question marks (?) all over the place. I was having to count them to be sure I had enough when things didn't work. Wow.
This is a lot to take in. Even my computer knows that I'm learn many new things 😂. I want to watch again and again, but since I'm close to the end of section 2, I'm going to move on. I'll be back! (Terminator voice). Thanks Gio
You're welcome 💙💙
Wow. That's SQL injection explanation is awesome.. thank you
going into the source code of the PDO extension to see if the ":" colon was optional or not
was just 👌🏻☺ I like that
Heh, glad you liked that 💙
Thank you for this video, PDO explained vividly
You're welcome, glad you enjoyed it
GIO are you a teacher?
A wonderfully organized lesson with essential material!
Again, great explanation of PDO connection and setup via Docker :)
Recommended!
No I'm not, this is actually my first attempt at teaching if you can believe it. Thank you very much, it means a lot 💙
@@ProgramWithGio You are doing great! You were born to do it. I enjoy watching your tutorials. Thank you!
@@tedybg thank you, that means a lot. Glad you like it 🙌💙
I like how you explain in sql injection. Awesome. I hope you will have a series of web security on writing php such as sql injection, CSRF, XSS etc.
Thank you. We'll touch some security related topics in 3rd section
You're awesome! I've just commented here about a tiny typo, when using date you put it to "Y-m-d H:m:s", but minutes are not `m`, this will write the month. it is `i` as u know. Thank you very much again.
Thank you, yea typed too fast :)
Thanks man for the explanation.
Part 2 waiting 💪
Wow , Nice Explanation Sir. ❤️
The great Gio for ever ♥️♥️♥️
Great explanation , thank you
You are welcome!
Thanks man, this explanation was very useful!
Glad it helped 🙌
A very detailed in-depth explanation. Besides php documentation is there any other resource that would help to grasp all these concepts at such an in-depth level? Thank you in advance !!
phpdelusions is a nice site
I found your channel yesterday and it seems great! Are your actual videos sufficient to get started with Laravel (if I watch all and code until the last one)?
Also amazing work!!
Thank you. You could get started with Laravel even without watching my lessons, Laravel is just that awesome :). That being said though, watching these lessons will definitely help you understand Laravel better & make it easier to understand some of that hidden magic. And that applies to any other framework, not just Laravel. If I was starting out & had the time, I would first learn PHP & MVC, then move on to Laravel. This is one of the reasons why I am putting so much time into this series, I started it about 8 months ago & still going. I want to make sure that important details & topics are covered.
Thanks Gio for your great explainations
You're welcome, thank you 💙
Awesome series!!!!!
Thank you 🙌
excellent content❤
Thank you 🙌
Keep Making these videos
Thanks
You got it!
❤❤❤❤❤
💙💙💙
Cool, it's awesome.
Thank you
the best teacher ever in PHP
but could you try to speak just a little bit slower, for those who like me are not native English speakers splease
Thank you. Yes I improved on that in 3rd section, for older videos you can slow it down on TH-cam by selecting the playback speed 💙
Hey, your courses are really informative. Thanks
Question: do you have any public plan what will be in later course lessons or when will start third part (advanced) and what will cover it?
Hello, yes in the first video of the course you can see the overview of the topics for all three sections. There are just one or two more videos left for the 2nd section and then we'll begin the third, I am going to make another overview video that will explain what to expect in the 3rd section.
Wonderful revelations, for me. You demystified a lot for me today.
Please, in this series, try out the SELECT A, B WHERE Match(A,B) Against("GIO PDO") Clause with PDO in searching the database.
I have been struggling with it. Can't get it to work for me!
Glad it was useful. Are you getting any errors?
@@ProgramWithGio
Mystery errors, yes. Bottom line binding parameters for execution is near impossible!
1) I enter a string in the Search field.
2) Sanitize the string.
3) Seek results by searching two or more database columns/fields indexed for FULLTEXT Search.
4) Binding Parameters right in the Match () Against () WHERE clause is impossible with PDO.
If you would permit me, I would send you my code, and errors screenshots. Maybe, you would spot what I am doing wrong!
The Queries run easily in PHPMyAdmin environment directly in the Database.
@@NedumEze yea send it to me if you can and I'll take a look. I personally haven't used match/against much, but I would be happy to take a look and see if I can spot something. Try disabling emulated prepares and see if that helps, I know that you can't use placeholders in some statements like with LIMIT for example when emulated prepares are enabled, so might be the same issue
@@ProgramWithGio
Here's my email:
adolfce@gmail.com.
Use it to give me yours, so that I can send you the Code, please.
Emulation is disabled, right in my Constructor, in the options array.
I've sent you an email
Hey Gio, whats the beneffits of using bindParam over bindValue? When to use one over other?
One does by reference, other by value. I don't use bindParam much, to me it's harder to read and understand what's going on given that it is by reference, so I stick to bindValue.
@@ProgramWithGio Thank you so much!
4:41 Gio, when you use "db" as your hostname it has to be resolved to an actual IP address when the script runs, doesn't it? I wonder what the actual IP would be in this case.
Happens behind the scenes, you can check your docker container's ip, there is a command for it I think. Should be able to google it
Gioooo. Thank you bruv
You're welcome
Why is the database recording the time as 21:07:00 rather than 21:00:00 as listed in the date(strtotime()) function? I know it isn't a core concept of the video, but I am curious. Great videos by the way. They are a little fast paced for me but I realize others may be more familiar with all of the concepts and therefore appreciate the fast pace while someone such as myself has the opportunity to pause, rewind, or watch the entire video again.
Thank you. That is because I have a typo there in the date format, I use H:m:s it should be H:i:s (m) is for month so 7 is the month # because its July. I pointed out the typo at 15:03 on the left corner.
About the pace yea I heard from few others that it's a bit fast for which I apologize, I try to slow down as much as I can but it's just the way I tend to speak seems like :). Will surely improve on that. One thing that has helped others is adjusting the playback speed on TH-cam to slow it down.
Thank you.
You're welcome!
ty)great info)
Glad it was helpful!
thank you!!!
You're welcome
So Gio please explain, when you put in the dns the db using docker, I am using xampp what do I need to use to correctly connect to the db.
localhost should work
@@ProgramWithGio Yeah it worked bro, I had made another mistake. Thank you!
For PDO::FETCH_CLASS mode where do you pass the $classname argument?
In your fetch method. So $pdo->fetchAll(PDO::FETCH_CLASS, YourClass::class). You can also use setFetchMode to fetch the mode to class like this:
$stmt->setFetchMode(PDO::FETCH_CLASS, YourClass::class);
@@ProgramWithGio thank you so much Gio
Can we use now doc to store query string in $query?
You could but make sure to use prepared statements
Awesome refresher and also new tips here, thanks! Do you personally prefer to use PDO:ATTR_EMULATE_PREPARES = false?
Depends on the project & scope. Php 8.1 will no longer strigify the integers & floats which it was before when using emulated prepares so even with emulated prepares it should return integers & floats as their native types instead of strings.
MySQL on my host machine (Ubuntu 20.04) is running on port 3306, and our container is also running on Port 3306. So, will there be a port conflict or not?
I think it will conflict yes
Is there any reason to use emulated prepared statement?
For drivers that don't natively support prepared statements yes. This is the note in the official documentation: "Some drivers do not support prepared statements natively or have limited support for them. If set to true PDO will always emulate prepared statements, otherwise PDO will attempt to use native prepared statements. In case the driver cannot successfully prepare the current query, PDO will always fall back to emulating the prepared statement."
How it happens that if you do $db->query($query), you have to fetch it, but in foreach loop you don't have to?
query method returns PDOStatement which implements IteratorAggregate that allows it to be iterated over in loops.
Hi Gio, When I run query to database it's throwing error like the one below, Could you help me please?
PDOException: SQLSTATE[42S02]: Base table or view not found: 1146 Table 'my_db.users' doesn't exist in /var/www/public/index.php:13 Stack trace: #0 /var/www/public/index.php(13): PDO->query('SELECT * FROM u...') #1 {main}
Hello. It means table doesn't exist, did you create table? You can refer to the intro to MySQL lesson to learn how to create tables
If emulated prepares are slower and return types as string instead of int and floats why would you use them even in Development? when return types could be important in your application when you're expecting a return type int for example.
I didn't say it's slower, I said "possible performance boost", that boost is probably very negligible. There are uses for emulated prepares but I personally try to disable them when I can and use native ones.
hello, please how to use prepared statement for embedded statement , like select from ... where param1 = ? and param2 in (select from where param3 = ? ) . Is this possible? thanks a lot
Hello. Yes that's possible and you would use it just like that. Write the query and use placeholders the same way.
@@ProgramWithGio thanks for the reply. I've tried it but had some errors, especially with inner join, etc ..
@@will10cent can you share the exact query and the error you get?
@@ProgramWithGio I will try to reproduce it on monday and come back at you, thanks a lot for the help
@@ProgramWithGio now i have it. When you have a variable for example $sports = ["soccer", "bball"]; and you try something like , select ... where sport in $sports; and i tried to parametize $sports, it didn't work. Questions are:
1- is that a vulnerable code
2- how to parametize it
Hey, would anyone happen to know how to use the PDO class with XAMPP to a remote Microsoft SQL Server/Database? I've tried a lot of different methods over the past few days with no luck.
I'm not sure I understand what you are trying to do. You want to connect to remote Microsoft SQL DB using PDO? You can use SQLSRV DSN, check this part in the docs www.php.net/manual/en/ref.pdo-sqlsrv.connection.php
Hello all. One question if someone can help. I am using a newer version of docker where "docker-compose" command is replaced with "docker compose". However, everything is fine, but I can't make PDO mysql extension to install. I followed this lesson and replaced the docker command as above, but it simply don't install:
docker compose up -d --build
[+] Building 0.0s (0/0) docker:default
please specify build context (e.g. "." for the current directory)
Ok, adding the dot as log indicated solved the problem :)
nice, good job
I am still a bit confused at how using binding or any other method of constructing a statement helps sanitize user input data and protect from injection. Can someone help explain this or direct me to a better explanation?
It's not about sanitizing, using prepared statements handles the proper escaping for you to prevent sql injections. You can read about prepared statements in MySQL, just Google it and plenty of articles will come up or even the official docs.
👍
💙
thanks again for the amazing video! by the way, is using PDO:FETCH_CLASS to do database object map to my own defined class object a recommended way? is it too slow, etc.
I wouldn't worry about performance much. It should be fine, that's how ORMs work. If you prefer to work with objects instead of arrays & keys then yes that's what you would use to directly hydrate your own objects. Another way is to hydrate objects yourself
@@ProgramWithGio thanks, that makes sense
thanks lot, very helpful material.
I've tested the emulated prepares, but nothing is any different from when they are disabled (I got the output of the SELECT query with integers values, and I could use the same name for three named parameters where one is in the LIMIT clause)
****CODE I wrote****
PDO falls back to emulated prepares if it cant prepare natively, so that's probably why you don't see difference. Did you try disabling the emulated prepares? Cause I don't see emulated prepares disabled in above code.
@@ProgramWithGio that worked, thank you Gio, now I understand.
is PHP dead?
Nope, not dead at all. I wouldn't be spending hundreds of hours making this course if it was dead 🙂
You know what therr are languages from 60s and 70s and didn't die yet ..
But imagine when taking about the language thag runs more than 40% of thd web ? .. It's an entire language for the web development not just a framework like django or node anf while some node kids make fun of it we earn money using it .. And it also has very powerful updates
Even the key advantage of node against php is gone LOL now there is a library called guzzle which can make php async like node js
@@ProgramWithGio the capacity of this dinosaur or mastodon, with respect to its experienced code for security domains, the speed that has been increased with JIT, and the options of synchronization in real time as you indicated or ReactPHP, make it a powerful language .....
why use root for the app. you loose all kinds of features dealing with grants on tables and views. better is to have a dba role (ie root) and a different user that has rights on the database objects.
This is a local development setup. For production I agree, you would not want to use root.
15:46 explains that SQL injections are bad, then proceeds to add one just in case.
And here I thought that people finally started writing secure PHP code in 2022. Nope, 15 years later (since I started) everything is the same.
Check beginning of part 2. I explain it there. I should've removed this part from the recording but decided to leave it in and address it in part 2. It's not SQL injection but I agree it should be using params instead of putting in integer value in the query.
Bro, at timestamp 12:16, the SQL injection worked in your example because the code for query string is delimited by a single quotes. But when i used double quotes the SQL injection does not work and nothing is returned.
Then you need to use double quote in query as well and it will work. The point is you don't know what user might submit, they can brute force it & submit various strings formatted in different ways
Every Time I use $GET_[ '..' ] or $_POST[ '..' ] I encounter a error of Undefined array key and I solved the error for POST using isset but I cannot solve GET with isset for eg
if(isset($_GET['email']))
{
$email = $_GET['email'];
}
I'm getting error saying Undefined variable $email
but if I use $email = $_GET['email']; then
' Undefined array key "email" ' this error is displayed
PS: I'm using php 8.1.4
Because if email isn't set then variable email never gets defined. You should define email variable before if statement and assign to blank value for example or add the else statement and set email to blank there or whatever logic you want to do when email isn't set.
Other option: $email = $_GET['email'] ?? '';
@@ProgramWithGio Thanks Gio.
Fatal error: Uncaught PDOException: SQLSTATE[HY000] [1049] Unknown database 'my_db' in /var/www/app/DB.php:31 Stack trace: #0 /var/www/app/App.php(15): App\DB->__construct(Array) #1 /var/www/public/index.php(26): App\App->__construct(Object(App\Router), Array, Object(App\Config)) #2 {main} thrown in /var/www/app/DB.php on line 31
I had error i created BD name by my_db, but it is error
how can i solve
Are you sure you created DB under the same connection? Are you using Docker or XAMPP?
I use Mysql on mac
@@danielmung9600 check your connection configuration, the error says there is no DB so probably wrong connection or something, maybe typo in DB name? I haven't used Mac so I'm not sure if there is any other configuration involved