Information Security:

a$.$ Suppose there is a form as below:

In the record$\_$message.php below, give an example of the SQL injection by entering extra strings in the name textbox after name?. $(5$ pts$)$

php

$name $=$ $$\_$POST$[\text{'}$name$\text{'}]$;

$message $=$ $$\_$POST$[\text{'}$message$\text{'}]$;

$//$ check if this user already has a message

$pdo$->$query$("$SELECT $**$ from messages where name $=$ $name"$)$;

$//$ Other code here

$($b$)$ In the above example, we want to use the prepared statement with bindParam to prevent the SQL injection. $(20$ pts$)$

Step $1$ Defining your query string, and marking placeholders using question marks.

$:

Step $2,$ Prepare the statement in MySQL$,$ assigning the results to a PHP variable $stmt:

$stmt $=$ $pdo$->$prepare $,$;Information Security:

a$.$ Suppose there is a form as below:

In the record$\_$message.php below, give an example of the SQL injection by entering extra strings in the name textbox after name?. $(5$ pts$)$

php

$name $=$ $$\_$POST$[\text{'}$name$\text{'}]$;

$message $=$ $$\_$POST$[\text{'}$message$\text{'}]$;

$//$ check if this user already has a message

$pdo$->$query$("$SELECT $**$ from messages where name $=$ $name"$)$;

$//$ Other code here

$($b$)$ In the above example, we want to use the prepared statement with bindParam to prevent the SQL injection. $(20$ pts$)$

Step $1$ Defining your query string, and marking placeholders using question marks.

$:

Step $2,$ Prepare the statement in MySQL$,$ assigning the results to a PHP variable $stmt:

$stmt $=$ $pdo$->$prepare $,$;