1 00:00:00,000 --> 00:00:04,241 [MUSIC] 2 00:00:04,241 --> 00:00:08,380 [SOUND] Security is very important when we start working with databases. 3 00:00:08,380 --> 00:00:11,004 Most all databases contain information that could be 4 00:00:11,004 --> 00:00:12,790 considered sensitive or private. 5 00:00:12,790 --> 00:00:16,220 We would not wanna open up ourselves to a tax from the outside or 6 00:00:16,220 --> 00:00:18,970 accidental dumps of this private information. 7 00:00:18,970 --> 00:00:21,580 Let's see how these attacks could affect us. 8 00:00:21,580 --> 00:00:26,720 >> SQL Injection is a common method that is used to attack data driven websites and 9 00:00:26,720 --> 00:00:32,630 web applications by appending malicious SQL statements for the attackers purposes. 10 00:00:32,630 --> 00:00:37,320 Taking our customers hard earned data, and dumping it to the screen, simply because 11 00:00:37,320 --> 00:00:42,430 we did not take the time to filter all of our input and escape all of our output. 12 00:00:42,430 --> 00:00:47,760 One form of this attack would be to simply end the previous statement in the url, and 13 00:00:47,760 --> 00:00:51,610 append our malicious query to suit our purposes. 14 00:00:51,610 --> 00:00:53,840 The code we've written, it works. 15 00:00:53,840 --> 00:00:55,370 It does what we want it to do. 16 00:00:55,370 --> 00:01:00,070 It takes the ID and it produces an actual film for us. 17 00:01:00,070 --> 00:01:02,320 So I can type in 555. 18 00:01:02,320 --> 00:01:05,250 And it is Mallrats United. 19 00:01:05,250 --> 00:01:06,300 Must've been a good film. 20 00:01:06,300 --> 00:01:07,500 I don't remember seeing it. 21 00:01:07,500 --> 00:01:13,020 Either way, this is terribly insecure, unvalidated code. 22 00:01:13,020 --> 00:01:17,410 You never want this in production as it sits right now. 23 00:01:17,410 --> 00:01:22,680 You are definitely primes to one, having some nasty errors like, you know, 24 00:01:22,680 --> 00:01:27,130 people typing in whatever and it's just you know dumping our exceptions, but 25 00:01:27,130 --> 00:01:31,550 we don't want that we want to make sure our ID is a number for sure. 26 00:01:31,550 --> 00:01:35,810 And the other thing we want to make sure is that no one can do SQL Injection. 27 00:01:35,810 --> 00:01:38,930 Which is in essence stopping this statement here, 28 00:01:38,930 --> 00:01:45,090 because we're just taking our id, whatever is, whatever this variable is, 29 00:01:45,090 --> 00:01:49,720 with no validation, no verification, and just creating a variable. 30 00:01:49,720 --> 00:01:51,110 Then we're taking that variable, and 31 00:01:51,110 --> 00:01:54,370 just dumping it right into our database as a query. 32 00:01:54,370 --> 00:01:58,140 So, they could technically just attach whatever code they 33 00:01:58,140 --> 00:02:02,050 wanted to the end of it and it'll get executed on our database. 34 00:02:02,050 --> 00:02:04,240 And that's, that's a big no, no. 35 00:02:04,240 --> 00:02:08,120 Just to show you, as an example, to just drive this home, 36 00:02:08,120 --> 00:02:11,870 instead of just the ID which is, you know, 555, 37 00:02:11,870 --> 00:02:16,290 I can actually get rid of this and paste in a little bit of code. 38 00:02:16,290 --> 00:02:21,870 Hit Enter, and I've basically told the database that I rather it 39 00:02:21,870 --> 00:02:27,320 return the SQL LIKE version to me instead of the actual title of the film. 40 00:02:27,320 --> 00:02:31,990 And as you can see here, there's our SQL LIKE version, 3.8.2. 41 00:02:31,990 --> 00:02:34,240 That's not good, they can do anything they want. 42 00:02:34,240 --> 00:02:38,200 Well, almost anything but it's still bad news, let's not do this. 43 00:02:38,200 --> 00:02:43,700 Let's fix this by first validating that what we're getting through is an, 44 00:02:43,700 --> 00:02:46,630 an actual integer, or making it an integer. 45 00:02:46,630 --> 00:02:52,610 And we'll also take some built in methods to the pdo class, pdo object. 46 00:02:52,610 --> 00:02:56,870 And use that to filter our results and to make sure it's secure. 47 00:02:56,870 --> 00:03:00,020 We're going to prepare our statements before we execute them. 48 00:03:00,020 --> 00:03:00,890 We'll do that next.