MySQL - PHP の準備されたステートメント (MySQL - PHP Prepared Statements)

字幕表動画を再生する

creating these classes requires equipment and service.
Is that cost money?
If you appreciate this education, please think about going to Eli the computer guy dot com and offering a one time or monthly recurring donation.
Welcome back.
As you know, I am the line the computer guy, and in today's class, I'm going to be showing you how to use.
Prepare to statements in PHP in order to insert records into Europe.
My sequel database tables Now up until this point, have been showing you how to insert records into your my secret database tables using Ph piece code simply by using the variables to plug in the values in my sequel statements and then sending that the entire my sequel statement.
So basically what happens is the P A P code parses and creates a my sequel statement and that full, my sequel statement is sent to the my sequel database server in my secret database server, then reads it and then process is basically whatever sequel that we have presented to it now.
Normally, if you don't have to worry about things like hackers, that's perfectly fine.
We send the entire statement the bicycle database server parses the statement.
As long as everything is correct things air process probably, if not an error, is returned.
No big deal, normal computing process.
But unfortunately, unfortunately, we've gotta worry about those hackers.
We have to worry about those hackers.
And so one of the things to be thinking about that we send the entire my sequel statement and you have something like an HTML form that the user is able to input data.
That data is then created as a value that for variable, that value is then put into the sequel statement.
And then the whole sequel statement is sent to my secret database server.
One of the questions that has to be Asa's Well, what if you have a hacker?
What do you have?
A hacker that knows a little bit about how my sequel works?
And so basically, what they do is they can actually put in text to escape out of the sequel statement that is supposed to be sent to the my sequel Database server and then actually insert their own ah sequel statement and order to do any any number of nefarious things on the My sequel database server.
Remember that my single database server.
It's simply going to parse the statement that it is presented with.
So again, if there was a former, if there's some other kind of input option where the user is able to offer something to the PHP code and they know how that PHP code is going to write that my sequel statement what they can try to do is they can try to escape out of the sequel statement that is being presented to the server and then basically insert their own sequel statement on then have them icicle database server parts.
That and then when.
When that happens again, any number of issues could can can occur.
Tables can be deleted, tables or databases can be exported.
Can be back up to, you know, off site servers, all kinds of fancy things.
So basically, we're talking about sequel injection attacks.
What we're talking about is the end user somehow is able to inject the sequel statements into what is supposed to be just a normal, innocuous transaction with the server, and then, by doing that, they're able to spend have some control of the server to do any number of things, and so that's a problem.
And the problem there is is that we're sending the entire sequel statement.
So basically again with the PHP code, what happens is we plug in the sequel statement and then there's dollar sign.
And what if the variable name is?
And so all that happens is the value is put wherever the variable s stated and in that whole statement ascent and into my single database server horses, that whole statement which could cause the problems.
So what prepared statements?
It was It was kind of an interesting way of doing.
It is what happens is you create a template for the sequel statement.
So basically, you created a template for the sequel statement and you you put in these little question marks to say where our values go.
That is incentive to the my secret out of a server.
And then after that, the values that go where those question marks was supposed to be our then sent.
And then what happens is my sequel, then just plugs in the values in where it's supposed to go into the sequel statement.
And then if somebody tries to inject any kind of code, basically all that's going to happen is an error, right?
Because the template, the template for the sequel statement first and then after that.
And then after that, the values are supposed to better supposed get plugged in our scent.
And so, basically, if those values are bad values again, there are escape characters or whatever else they just get flushed out and there's an error or some other thing occurs.
Basically, you don't have to worry about the sequel injection, where the end user that hacker tries to take over your my sequel database server.
So what I'm gonna be showing you how to do today is prepared statements.
It's relatively easy.
It's relatively simple.
They're no big warning warnings for today.
The only thing that I will tell you, especially if you are new to using PHP and my sequel and all that kind of stuff, is that when we do do these prepared statements, we add a couple of levels of complexity for being able to insert records.
And you're my secret database table so normal again, we just create the sequel statement Dollar sign SQL.
You know, whatever that sequel statement is, we just plug it in and everything is relatively simple with prepared statements is not a whole lot harder.
It's on a whole lot harder, but there are a couple of steps and you do have to be careful to make sure you do all those steps or you can run into some problems.
You can run into some errors.
So with that, let's go over the computer and I'll show you how these prepared statements work.
So here we are, back at my lab machine again.
I've got a bunch of desktop 18.4 Lt s running, but really anyone to desktop should work for you.
I have this running in a virtual machine in virtual box and this is running on my Mac book pro in order to get the full lamp stack Alexa Packet, my sequel in PHP.
I used a tool called Task Cell ta s k s E.
L that installed the unfold lamp stack onto the Sorbonne to desktop.
I have not modified any of the default options PHP that I and I v hosts all that are exactly the same.
The only thing that I've done is I've created a folder in the Apache Root directory called PHP, Just as a simple place to dump all of my PHP virus scripts.
A star is a text editor goes I am using G edit.
I'm not using any fancy I d.
E or anything, because again, when I'm doing simple Cody and I'd like to show you folks that yes, you really can use just a normal text editor.
Others g edit whether it's, uh, note pad, whether it's text, edit, whatever else.
So this is the system that we're dealing with.
So the first thing has always let's go over to our database server so we know what's going on.
So we're gonna get a terminal.
If I could spell today Terminal, we're going to log into my sequel.
Maya Segal Space Siphon, You usernames a siphon p for password.
123456 Now we're into my sequel were used class Thebe.
So Class Devi is the database that we're using for all of these labs.
Semi Colon, of course, once weren't here again.
We do show tables just so we know what tables were dealing with.
We have a whole bunch of tables in here.
On the table that will be dealing with today is the students table.
Just verify what's going on with students Table Do the EOE SC describe students semi colon s That shows us we have a student Underscore.
I d Field is a primary key.
It's an auto increment and it isn't interference again.
This is just our record record field.
We have a name.
We haven't age with a gender and we have a uniform field.
Name is text Age is an entity or a gender is text and uniforms Text We d'oh d'oh select Oh, from students, students.
If I could spell correctly today, uh, semi colon, we can see we have a whole bucket records in here.
At this point, we're all the way down to 34 records.
Last four, Senator was Lewis, 21 years old.
Is the boy does not have a uniform, eh?
So let's go over and take a look at the form that we're going to be the only with today s.
So this is an H basically html form.
So, yes, You understand what this little project looks like to go over the Firefox?
Oh, just go.
1 27.0 point 0.1.
This is Luke back address for its last PHP to get in that PHP folder.
And then what we want is the statement for So we created this the atrium out forum called statement form.
And so what this is gonna do is gonna ask for a name, is gonna ask for aid and is going to ask for a gender on.
Then you're going to be able to submit that and basically insert record.
So let's just take a look a form for a second.
This is just a completely normal a female form.
Nothing in here Open a female open body we have formed.
The action equals this nasty ass name.
Don't do it.
I d'oh, don't Don't do this.
You ever have those times when you just like trying to figure out the name for something and then the stupid thing is way too along anyways, so PHP prepared statement insert not PHP.
Basically, the name, age and gender is going to be sent to a script with that stupid name.
That's way too long.
Don't name anything like that, and it is going to be a post method.
So if you've been following along with the other classes again, this is just a normal HTML form.
Asked her name.
As for Nate, against her gender name.
Text.
It's named name.
Age.
Also the text box.
It's named age.
Gender.
This option box.
It's name gender default.
Value is nothing.
11 option is boy.
One option is girl on.
Then there's just simply submit button closed body close.
Html s.
So now we're gonna go over and actually take a look at this.
Nasty.
Yeah.
I don't name anything like this.
I don't know what I was thinking.
PHP prepared statement.
Insert up.
Horrible.
Now, anyways, let's take a look at this.
And a lot of this actually looks pretty close to everything that we've seen before.
That's okay.
The statement form is going to send the name, the age and the gender to the script.
We're gonna open up the pH be script.
We don't have to create the variables variables on the variable values that we're going to be inserting into the bicycle database table.
So we create dollar sign, name, dollar sign, a dollar sign, gender, these air going to equal the post values.
So post our dollar sign under sky are underscore Post on, then name a dollar sign on your post A dollar sign Underscore post gender.
So we've done this in other projects at this point, this is simply grabbing the value of these names that come from the form name a gender were then assigning those valley used to the new variables.
We've created a pH be here so that we can interact with him in PHP.
The next code here is the same code we've seen 1000 times of this 10000.78 years in a password and database.
So it's a local host.
So that's just a local host user name of Bob Password.
I want you to 456 database of Class B.
D.
B has just showed you We're then going to create a connection like we normally do.
So dollar sign common equals a new my sequelae.
We're gonna pass a servant and we're gonna pass the user name.
We're gonna pass Password, eh?
We're gonna pass the database.
There are closed parentheses, and of course, we do semicolon because this is P H.
P.
We're then going to do the if the connection doesn't work.
So for some reason, there's a connection error.
You misspelled the user name.
You screwed up the password.
Something like that.
Basically, dollar sign connection.
If there is an error kill, kill the connection, say the connection failed and then say whatever the air is same stuff as we've seen 1000 times this point.
Now, now down here is where we actually get to the interesting stuff s O.
The first thing that we're going to do is we're going to create our statements.
So this is the prepared A statement itself basically created a variable, just like we created the connection variable up here.
And so I just decided to call this a dollar sign a statement.
So you know what it is?
And so dollars science statement equals.
So cut the connection.
Dollar sign con.
So this whole thing on, then you're gonna do this little era symbols?
We're done for a few things in the past, and then we're going to say, prepare for creating that prepared statement.
We then d'oh parentheses.
So this is all going to be inside of parentheses.
They were going to do the double quotation marks, and then we're simply going to be the prepared statement.
So we're doing an insert so in search into students, same as we've seen to support parentheses.
Column names Name, age, gender So again saying is you've seen before.
Close parentheses, values same abuses as you've seen before.
Here's where it gets to be different.
We do question Mark calm a question mark comma question mark.
So these these are the three com.
So before where we would plug in here, dollar sign, name, dollar sign, a dollar sign, gender and the values would simply be plopped into there.
And this whole thing will be sent over to the sequel server Now again were just sending over a template.
We're sending over a template saying This is what the sequel statement looks like.
And next we will send the value so the values and the template are sent differently.
So, basically, again, it's just question marks.
You only do question marks.
It doesn't matter if his energy or it doesn't matter if you're gonna be sending a string or anything like that.
There is no quotation marks or double quotation marks in these values is just however many values you're gonna say so.
However many columns you have, that's how many question marks you should have over here.
Close that prophecies.
Of course.
Then you're going to close the double quotation mark like you do normally.
And then you're going to close these parentheses here, so all of this gets enclosed within a parentheses.
On that's a PHP.
You end with a semi colon, then down here.
So again, this this right here is this is creating the template for the sequel statement.
And then now, down here, we're actually going to bind the parameters to that.
Templates were going to say what the parameters are.
So then again, we call the statement.
So the statement, they're gonna say buying parameters.
So so little era thing.
Bind, underscore program, open parentheses.
And then this first thing here is we're going to be saying, What type of values will you will be sending you?
Enclose this within double quotation marks.
And then what I have here is string into your strength.
So name, age, gender, right.
So if I was sending three strings so it's a first name, last name gender.
This would be s s s s s if itwas all.
But if it was all it was three numbers, then it might be I so you can have s so it could be a string.
It could be an eye.
It could be an integer It could be a d This is unimportant.
What a D is a double A double is any number with a decimal point.
So when you're actually doing with PHP and my sequel, there's a number of different data types with decimal points.
As far as this is concerned, it's not looking at 1000 different data types with decimals.
It just wants to know, Is there decimal or not?
So it's I that means there's no decimal.
If it's d, there means there's some decimal.
So S s I d or B for blob.
Blob is kind of like this.
If you're gonna be doing things like files, files, PDS and that type of thing could actually insert that, so be would be a four block.
So this is going be string ended your string name a gender, close parentheses, of course, and then do semi Colon.
Then the next thing that we have to do is so we've created a statement we've bound the parameters for with statement should be, and what we're going to be doing is we're actually gonna be executed, right?
So we d'oh dollar signed statement, get the arrow thing, and then we say execute, execute, Go do it.
After that, all we're going to be doing here is we're gonna be echoing out that this actually worked.
So echo added name a gender break if you want a break.
And so basically, this just shows us This actually just prints out to the screen that these things have been added.
The final thing here is that we actually have to close the statement.
So dollar sign statement Aargh thing and then close with two parentheses.
So we actually have to close this thing.
So So it has to know that it can actually release those.
Resource is so this is one of those things again, in a non production environment, you might not run into problems with this, but in a production environment, you will.
So basically, when you create the prepared statement that uses up resource is on your server, And so, in order to release those service is in the most appropriate time.
When you're done using a prepared statement, you should close the prepared statement.
So this resource is go back to the server again.
If you have a machine like this, it will automatically close the prepared statements after a while so you won't see any problem on again your own little virtual machine.
But in a production environment you would on that's really all there is.
And then again, down here, we have dollar sign connection.
Close.
It closes, we go over, we take a look at it.
There's not a lot of difference here again.
Name.
Oh, Susan.
Age is I don't know.
11 and gender Say is a girl.
We can submit the query if we go over to my secret database, select all from students.
We can now see Susan 11.
Girl.
There's not a lot of difference you can really see here.
One of the big ones is again when for the prepared statement where we say, whether something is it supposed to be an integer or not again?
One of big problems of databases is if somebody can.
If somebody can put a string into a field that is supposed to be ended, your you can run into a lot of problems like you're trying to do averages.
You're trying to add things up and you have wrong data types in the field.
One of the nice things with this is, let's say, if I wanted to do Patsy and then I'm not thinking about it and I say Klein here and then I say, Girl, one of the nice parts that you can actually see with using prepared statement If I do submit query, they're gonna notice here, says added Patsy Cline Girl.
But if we d'oh and we do a select all from students, what you'll notice here is, since it's not, it's not an editor.
It was a string of seven.
Endanger.
All that happens is a zero gets placed in that age.
So the nice part here is at least you know there's a problem.
You're like, Oh, I've got to go back and I've got to get that age where again, like a lot of times with databases, if you could insert it, the wrong type of data gets and serve, you can have a lot of problems, so at least with this, you've got zero, so you know that there's an issue there and you can go deal with it, but basically that's all we're dealing, dealing with with these prepared statements.
So we're going to create the template for the statement here.
All of this again.
Colin, prepare.
This will be inside parentheses, then for the values again for insert.
We're going to question a question mark.
Comic question.
Mark, calm a question mark again for however many columns we have.
We're then going to go down here.
We're going to bind the parameters within double quotation marks were going to say what these columns are supposed to be.
So against ring ended your string and then did.
Here is we're going where we're going to put the variables dollars on named Ox on $8 on gender.
We're then going to get go down.
We're going to a statement we're going to execute.
If you want to echo out something on the screen, don't print something out on the screen.
You can do that here and then you're going to statement and then you're gonna close again.
This is not absolutely required, but it is a smart idea.
So try not to forget that.
And that's really all you've got with these prepared statements.
Yea.
Now you know how do prepared statements and so maybe Maybe the old timers will get off my buttocks?
Probably not.
Probably not, but maybe eso.
Whenever I do these videos, I create these videos.
I publish up about an hour after I get done editing them.
And as such, you have a lot of old timers that are screaming at me for how I've been showing you.
How did he with P, A.
P and my Siegel?
It's not security, you long.
It's not secure.
You need to do prepared statements again.
I have a way of TV.
I have a way of tea.
If you don't like the way I did, you don't gotta watch your videos.
But I teach basically trying to show people the simplest way to do things again.
A lot of times I genuinely strip out security again.
I'm not telling you to put some of the stuff that I do in a production environment, but I want you to understand that you can build things and then once you know you can build something, then I want you to learn how to make it better, make it more secure and then a few steps down wine.
Then you have something that can be facing the Web, eh?
So what?
I've been showing you up until this point with sending the being complete sequel statements again.
It worked as functional.
It's easy, but and I will say this dependent upon your security environment might not be the best way to G O.
Using prepared statements is a A a way to try to secure your your dad of a server and protect your overall environment.
Now, I will say with these prepared statements, it's kind of like anti virus or firewall.
One thing does not protect your database servers.
Not like you use prepared statements, and now everything's perfect again.
It does prevent my sequel injection attacks, but you may have other vectors of attack towards your systems again, if somebody can actually get in somehow can modify your PHP code or again, depending your Java script or other things, there may be other ways to attack your systems.
This is simply a way to try to prevent those.
My sequel injection attacks, uh, again, it's one.
It's one thing against, like antivirus, right?
You want anti virus and you want a firewall and you want security policies and you want a backup and you want a number of different things.
Having all of that then theoretically protects your systems again.
Using prepare statements is a single way that you can try to mitigate the damage towards you or your sequel servers.
But it's not the only thing.
So don't feel like oh, I know prepared statements.
So therefore, my servers will be secure.
No one, I think that will stay with this is go out there and do your own research for using this prepared statements, especially if you're looking at using prepared statements in a production environment.
As I was doing research for this class, it was interesting to see both the benefits of using prepared statements again for those injection attacks, but also then seeing some of the downside so like with the downsides or using prepared statements is depending on the context you're using them in.
They can actually end up using more Server resource is so this may not be appropriate.
If you've got a virtual machine right, you got a virtual machine.
Years interact with virtual machine.
Using a couple more compute cycles isn't gonna matter, but right, if you've got a production environment, you've got 10,000 users hitting your server every hour using prepared statements.
If you don't necessarily need that use, a prepared statement may increase your server load.
To a degree, that's unacceptable.
So with this again is just like anti virus is just like everybody has his idea, like with security, like Security is good and have ours is good.
Firewall is good.
And yet my 99% of time yeah, but it's seen anti emerges.
Oh, just oh, brutalized of machines.
And you run into that fraud like, you know, I'm saying, Like, if a hacker if a hacker crashes your system, is that worse than if the anti virus crashes?
Your system you got still gotta crash system right again, depending on what kind of world you're living in.
So again, with these prepared statements, if you're looking at using them any production environment, take a look, do some research about it.
It is very interesting things with, like, data cleansing s O.
There are ways to basically clean as the variables are sent as the values or created.
There's multiple different ways of actually trying to clean up those values again to do things like prevent sequel injection attacks and in a production environment, there may be another method of basically getting getting the ability to strip out possible sequel injection attacks that are not necessarily these prepared statements right again for you.
It's probably good if you're gonna put something out facing towards the Web.
You're not really.
You're not really worried about counting every compute cycle.
Prepared statements are probably five, but it's a type of thing to research and again to figure out how you're gonna d'oh things.
As I say, you know, there's 20 ways to skin a cat.
You just have to figure out the proper way.
How do I skin can't in this particular situation?
And I think that's what a lot of technology professionals and a lot of coders really don't think about.
They don't think about the context.
I don't think about the situation.
They just say, This is right.
This is wrong When a reality at the end of the day depends on depends on what you're dealing.
So anyways, that's Ah, that's, um, prepared statements for you regretted statements, basically allowing you to send the template from a statement and the values for the statement separately.
This helps prevent sequel injection attacks.
As always, I enjoy doing this class and for the next one, apparently the type of content you just saw is not what Susan W.
Wants for the future of YouTube.
This means that recommendations by YouTube to this channel have dropped massively, and views are becoming a comically small I hate to ask.
I used to say I would never ask, but if you could subscribe like common and most importantly, share the videos that you appreciate, that may help slow the death of this channel.
Do you remember that if anything at all happens to this channel, you can go to Eli, the computer guy dot com, to view the content and access information not available on YouTube.