<?php
$name=$_POST['name'];
$pass=$_POST['pass'];
$sql="SELECT * FROM Users WHERE Name='$name' AND Pass='$pass'";
?>

This would work perfectly, and would allow people to log in. It would also allow people to SQL inject it. What if they typed this in:

Well our SQL statement ends up looking like this:
SELECT * FROM Users WHERE Name='admin' AND Pass='admin' OR 'x'='x'
‘x’='x’ is a TRUE statement 100% of the time, so as long as ‘x’='x’, it will pull up all the info you needed, and suddenly you are logged in. This is probably the easiest SQL injection around, and does work on occasion. There are hundreds of SQL injections, and a poorly coded site will always be susceptible. Not only are people able to log into a site as an administrator, but they can display login info using UNION statements.
One other way good programmers tend to get lazy is through their “GET” variables. A lot of times programmers will pass variables in the URL bar: http://www.mysite.com/view.php?id=123. There is nothing wrong with this, in fact, everyone does it and will continue to do it because it is efficient and easy to do. The problem comes when people SQL inject that variable: view.php?id=123′ and ‘x’='y. This particular injection allows a hacker to test your site for susceptibility to injections in the URL bar. If you didn’t protect your variables, your SQL statement would look like this if it wasn’t protected: "SELECT * FROM Info WHERE Id='123' and 'x'='y'". If it wasn’t protected, the hacker would see a page with NO info on it, or an error because ‘x’ NEVER equals ‘y’ and is a FALSE statement. If they see a blank page or an error, they know they can continue their attack and eventually gain access to all of your information.

My goal is not to teach you how to hack, but rather how a simple PHP object exists and will help you avoid these types of attacks. That object is PDO. It comes standard with the latest releases of PHP and can be used to prevent SQL injections very simply. PDO is a database object, that allows you to connect to a variety of different databases, send queries, and display the results. It actually is a bit easier to code than actual mysql in PHP, but it is a complete 180 from what you have been taught using w3schools and tizag.com. I don’t really want to get into a tutorial of PDO either because there are quite a few on the internet that explain it much better than I can right now. I recommend checking out http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html to get a grip on the basics of how PDO works. The one thing that this tutorial does NOT explain is the “prepare” function. He only goes into it slightly, but doesn’t describe what it does exactly. Prepare() simply checks for all types of quotes and makes sure that no SQL injections can get through. Here is a quick example:

<?php
$mysql_host="localhost";
$mysql_user="root";
$mysql_pass='';
$mysql_database="epco";
try {
    $dbh = new PDO("mysql:host=$mysql_host;dbname=$mysql_database", $mysql_user, $mysql_pass);
    /*** create the statement ***/
    $stmt = $dbh->prepare("SELECT * FROM users WHERE user = :user AND pass = :pass");
    /*** bind the paramaters ***/
    $stmt->bindParam(':user', $_POST['user'], PDO::PARAM_STR);
    $stmt->bindParam(':pass', $_POST['pass'], PDO::PARAM_STR);
    /*** execute the prepared statement ***/
    $stmt->execute();
    /*** close the database connection ***/
    $dbh = null;    
}catch(PDOException $e){
    echo $e->getMessage();
}
?>

When we prepare our statement, we use a place-holder that will later assign a variable to. When that statement is executed, all our quotes are removed or slashed. $_POST['user']="admin' OR 1=1"; typically becomes $_POST['user']="admin\' OR 1=1"; and your database is protected from the attacks.

In conclusion, I am not advocating PDO and saying only to use that and nothing else. I use a database class that is much smaller and does what I need it to do. I have spoken with other programmers who have created their own class to add/strip slashes, rawurlencode/decode, and htmlspecialcharacters and connect to their databases. PDO was created as a “universal” database object that can do whatever you want it to do with several different databases. It is awesome and will go a long way to protect your site from SQL injections if used properly. The prepare statement is simple, but doesn’t protect against EVERY type of attack. Don’t be fooled into a false sense of security just because you are using a PHP object. XSS, javascript injections, and bruteforce, attacks are all still possible even if you use this class. Be careful in what you code, and fix any code when the holes are found by users or when you are hacked.