MySQL Prepared Statements Lab - savannahc502/SavC-TechJournal-SEC260 GitHub Wiki
Make sure that the three previous labs in the Week 14: SQL Basics module are complete before continuing with this lab. Make sure connecting to MySQL and the pets database still works
Using the birthday html and scripts as a template, you will create a version using prepared statements. Copy birthday.html to birthday-sec.html. Update the new html file to point to birthday-sec.php:
<html>
<body>
<form action="birthday-sec.php" method="post">
Look up your cat's birthday! Silly bois </br>
Cat's Name: <input type="text" name="name" id="name"></br>
<input type="Submit">
</form>
</body>
</html>
Create birthday-sec.php using prepared statements:
<?php
$username="apache_php";
$password="password";
$database="pets";
$name=$_POST['name'];
$mysqli=new mysqli('localhost', $username, $password, $database);
$stmt=$mysqli->prepare("SELECT birth FROM cats WHERE name=?");
$stmt->bind_param('s', $name);
$stmt->execute();
$stmt->bind_result($birth);
$stmt->store_result();
if ($stmt->num_rows > 0) {
while ($stmt->fetch()) {
echo $name . "'s birthday is " . $birth . "</br>";
}
} else {
echo 'NO RESULTS';
}
$stmt->close();
$mysqli->close();
?>
When I attempt the previous SQL injection of 'OR '1'='1:
