Quiz
- can you explain a bit more one what the place holder %s do?
Sure. It stands for a place to fill in data, such as the NM of the person you want to look up, or the TT of the movie, or the Title of the movie or...
It's like a variable, or a place where a variable's value goes.
- I still don't understand how prepared queries protect again SQL injection. What happens if someone passes in '123 or 1 = 1' as nm into our function anyway?
The is the crucial question! Suppose the query is:
Is that:
which matches nothing
Or is it
which matches everything
The bad case is when the
or 1=1
is parsed as part of the SQL code, as opposed to a value. - Can we review prepared queries again and how multiple %s values work?
As many times as you'd like!
- Can we go over the right and wrong way to do a parameterized query again and what the difference is?
The wrong way is to use string interpolation:
The right way is to use a prepared query