How does the SQL injection from the “Bobby Tables” XKCD comic work?

It drops the students table. The original code in the school’s program probably looks something like This is the naive way to add text input into a query, and is very bad, as you will see. After the values from the first name, middle name textbox FNMName.Text (which is Robert’); DROP TABLE STUDENTS; –) and the last name textbox LName.Text (let’s … Read more

How can I prevent SQL injection in PHP?

The correct way to avoid SQL injection attacks, no matter which database you use, is to separate the data from SQL, so that data stays data and will never be interpreted as commands by the SQL parser. It is possible to create SQL statement with correctly formatted data parts, but if you don’t fully understand … Read more

Are PDO prepared statements sufficient to prevent SQL injection?

The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks. For certain obscure edge-cases. I’m adapting this answer to talk about PDO… The long answer isn’t so easy. It’s based off an attack demonstrated here. The Attack So, let’s start off by showing the attack… In certain circumstances, that will return more than … Read more