0

Hi i know parameterized statements and escaping data is good practice for preventing SQL injection. But i was curious to see it in action so i set up a database to see . The problem is i keep getting a error or its not injecting correctly.

$ans = $_POST['answer'];
$query = "SELECT username from `members` where password = '$ans'";
$c = $db ->query($query);
$c=$c->fetch(PDO::FETCH_ASSOC);
echo $c['username'];

I tried the typical 'Or 1=1' injections and its variations and i keep coming up with errors on the fetch or it not working at all.

MikanPotatos
  • 143
  • 1
  • 2
  • 9

1 Answers1

-2
$sql="SELECT username from `members` where password = :mypassword";

// Create prepared statement
$stm = $db->prepare($sql);
$stm->bindParam(':mypassword', $ans, PDO::PARAM_STR);
$stm->execute();

echo $stm->fetchColumn();
Alexey Palamar
  • 1,440
  • 1
  • 10
  • 16