 Hello, this is Christian. Welcome to episode five of this PHP Stocks application using PDO. This is a bonus video, a bonus chapter. I want to talk about the SQL injection. I'm just show you one example how that can be very dangerous to your code. So here is our application we built before. Now I went ahead and added this new tab called add stock. And all I did was basically add a new task to add and show the ad form. And then we're going to add a company, you know, a new stock to the database. That's all there is to it. So we can go in here and add a new company, for example, say, well, let's see. So our stock, we have 50 of them, as you can see towards the bottom here. Okay, I'm going to add a new one. And just save my company, my CO, I'm the data sector, price will be 555. Okay, really cheap here. Okay, so submit. And so I'm added view of my stock, the very bottom, I should be able to see my 51 list. Okay, there it is. All right. So, so this example to show you the danger of not sanitizing your data. Okay, so let's go back and see the code here. So here again, just show you briefly what I did. I added a new ally here adding to the tease add a new stock. And then add a new form here. This is just an ad form. It's going to go to the same file, which is the index and the methods can be a post. So we're going to hide the data in the body of the query. And very basic stuff, the company symbol sector, and then the submit and reset button. Okay, so this is pretty straightforward. In the index, I added a new variable to show the ad form, just like a show table, I set it to false. And if it's, it's not selected, right? So the task right here, we I did not change that I added a new one down here. If the task equal add, then we change the form to true and then show that form instead. Okay, so down here in the body, I added it else if in between here, if it's show table, you show the stock table. Otherwise, if it's show form, we show the ad form here. And then otherwise show the other message down here. Okay, and we submit the form. It's a post. So up at the top here, add a new if set post submit. If so, then I collect the data from the form company symbol sector price. The first few is null that ID, pass it to data. And it will pass that to the insert data record from the DB class, insert that data to the database. If it's successful, then we say new stock added otherwise has some error. Okay, pretty straightforward stuff. So that's what we did, right? So now let's go and modify the DB function, function here to show you the dangerous part. So here we're using the PDO or we're using a prepared statement, right? So we this is the safety issue way. So now since we're doing this way, you're prepared, you're actually sending the instructions ahead. So the instruction gets over, it doesn't execute. But then, you know, there's no data to execute. So we send the data later. That's why it's pretty safe. Now let's say I'm going to change this to use the old or the traditional way of doing things and not using this prepared statement. Okay, so let's just return, you know, do everything all over here again. So be short. So query is going to be insert into the table. And then the values will be. So we have the first is going to be null. Second, it's going to be data of one, and then data of two. Oops, right. And then data of three, data of four, this is the stock that we terminate that. That's incorrect. Let's see, this is a comma. All right. And then we terminate that statement. And then we're going to do a, I'll do a, you know, you can do the same thing, but well, let's say return, no, just do a this query, PDO, I just do a query, or you can execute. Either way, execute a query, it doesn't matter. The statement, which is the query. And then we just return true for this one. Okay, we force it to be true. Okay, so that's the, the standard way to do it, right? You, you actually passing variables to each of these positions here, instead of doing this, replace holders. And then you execute that and you return statements. And just to make sure it works, we just go back and add a new company. Okay, so add another one here. This will be your company, YCO, it was going to be in the, I don't know, what, grocery sector, maybe, and your price is 34, 56. Okay, so submit. Good, we add it. Let's see if it's there, should be the 52. So there it is. Okay, so now here's the danger part, all right. So this is their company. Okay, so TCO sector would be unknown, right? So the price, let's just say that $12, and then you enter something like this. Okay, it's very dangerous here. So, and I put here, but this part here, as you can see, if I, if I go back and look in the code, show you why it's dangerous, that will cancel out the statements. If I were to do this again, let me just do this, this insert statement. If I had the insert statement to look like this, insert into the table, which is called stock. Once you parse it, right, it would look something like this. The first is going to be null. The second is the data. So this is a string of, let's say that, you know, their code, and the third is the symbols TCO, the sector would be unknown, and then the price would be this, right? I enter that here. 12, well, let's do this. So it would look something like that. The price, it was 12, and then I enter that, and that, and that. Oops, I shouldn't have replaced it. Let's try again. So $12, and I enter that. Well, I didn't like it. Let me just copy and paste right in here. So in here, I want to put like that, okay? This is from the form. As you can see, this part here, if you look at this, it cancels out, right? It cancels out the statement here. It ends right here. And then this part is now open. We have an incomplete. It will still look like that, right? So it's incomplete part, but I can add another statement over here to do something like, okay, I want to delete from the stock, and then you close that. So you have a second statement here. And this part will error else, it won't work. What you can do in SQL Server and also MySQL Server is you put the dash dash. And what that means, as you can see, it actually commented this out. So this whole thing will be ignored. And so I entered a second statement here to actually delete the stock table. So we can see that's very dangerous. So if I copy this, if I take this out, it looks just like the other one, right? If I put $12, and that's exactly what you get. So that's why it's so dangerous. Now let's go to the code, I mean the form, and put that in here. Okay. So now what happens if I go submit, it says I added the stock. Well, when I view the stock, all gone, right? It's gone. You can check the database to make sure it can browse it. And there it is, it's no data here. So you can see how dangerous this can be. You can do more damages to this thing. So again, if I go back and reset it, gamma was stuck. And my data is back again, right? Now I can do it again. Do another one here, some co SEO test. And then here again, just put here whatever, as long as you cancel out that part. So you cancel that out. And then the rest is like open to you do whatever you want. Pretty much you can drop. This is very dangerous drop table called stock. Okay, again, the same syntax. So now what happened is if you submit that, it's gone. If you try to view the stock, okay, now it's gone. You can see that now it's no longer working. You go to the database and you refresh it. And now I just lost my table. Okay, what's worse, you can even drop the database. I didn't do drop database, we could say drop the database, and then the name of my database, if I know what that is, and it's gone. So that's why it's so dangerous. If you don't sanitize your data, if you don't use to prepare statement nowadays, to do it this way, and just show that it does work, let's go back and use the other one again, the traditional or the regular, when we did earlier, let me turn this back off again. Now we're using the saved one, right? So I'm going to try to try to use the same method to try to attack this site. But I lost my data. So lucky me, I already saved my queries. I'm going to import it back in here. Let me just use SQL. I have it somewhere, I think. I want to import. What did I save it? Yeah, I save it somewhere. I'm pretty sure I did. Yeah, I don't know where, but I think I have it somewhere. Let me see if I can get it from my other screen over here. This is the stock table. So I copy my code here. Yeah, this is the one that I want to use. Okay, this is the stock I downloaded. I saved it before I actually do the lead. So I'll make sure I copy that. Let's copy all of that. And then I'm going to go and just insert into the SQL to recreate my table back. Okay, so my stock table should be back. So here it is. Okay, so now I can go and then add some data again. So there it is. Okay, so now we already changed the code back to the saved one, right? So let's close this. So oops, what happened? Yeah, I already used the, I've removed that already. We're using back to the original one. Okay, the placeholders. Now let's go and insert the same code and see what happens at stock. Let's be there, cco, tco, unknown. And I have what's like 12 and then that if I try to delete table stock. Okay, so if I click submit, here we go. If I view the stock, see it's all there, right? If I look at the very bottom and there's the company, I added here is $12. So you can see that the second statement wasn't completely ignored. It doesn't matter what you put there because it ignored that part. And what happens was behind the scene when you do something like this, this statement here ends it right here wherever it was before. And then the next statement is no longer working because it doesn't execute that statement because there's no placeholder for that data. So it's not even doing anything to that part. We ignore that. It only matches the data here. And again, there's only placeholder. And we send the actual data after these statement or the instructions been sent to the database. So that's why it's safe to do this. Okay, so this is one example. You can do so much more, especially like login stuff, you can do a trick to do a, you know, a query to make sure you can log in without even logging in, right? You can trick that as well by using something like, you know, one equals one, because that's always be true, right? So that's one example of how using prepared statements can safely protect your code. So I hope you enjoyed this video series. Let me know if you have any questions. Thank you.