1
00:00:00,420 --> 00:00:03,690
Let's briefly talk about sequel injection defenses.

2
00:00:03,720 --> 00:00:09,510
Now there are more than two defenses out here but these are the two big ones and really the biggest

3
00:00:09,510 --> 00:00:13,800
one is parameter statements or parameter I's queries.

4
00:00:13,800 --> 00:00:21,520
And what that means is it ensures the inputs or also known as parameters are used safely in sequel statement

5
00:00:21,540 --> 00:00:25,170
so they're passed through the sequel statement safely.

6
00:00:25,170 --> 00:00:30,600
An example here I have are a good example and a bad example so here's a good example.

7
00:00:30,690 --> 00:00:38,370
We've got select WILD CARD FROM users where email equals question mark OK.

8
00:00:38,430 --> 00:00:40,740
And what does that mean.

9
00:00:40,740 --> 00:00:51,000
Well the way we're passing data here is the parameter string is going to be passed separately then the

10
00:00:51,030 --> 00:00:53,590
parameter is being provided.

11
00:00:53,800 --> 00:00:54,740
OK.

12
00:00:54,870 --> 00:01:01,290
In this statement here where we say select WILD CARD FROM users where email equals and then we just

13
00:01:01,290 --> 00:01:10,040
provide the e mail as like a variable it's going to take the entire sequel statement and it's going

14
00:01:10,040 --> 00:01:12,630
to provide it all at once.

15
00:01:12,650 --> 00:01:18,530
So this parameter I statements is is really the way to go and this is just responsible coding.

16
00:01:18,620 --> 00:01:18,940
OK.

17
00:01:18,950 --> 00:01:24,560
And this is when I said in the first video that sequel statements or sequel injection tax are easy to

18
00:01:24,560 --> 00:01:25,560
prevent.

19
00:01:25,640 --> 00:01:26,190
They are.

20
00:01:26,210 --> 00:01:31,110
I mean look at the difference in the code here but you still get coding that comes out like this and

21
00:01:31,160 --> 00:01:33,770
allows for equal injection attacks.

22
00:01:33,770 --> 00:01:38,150
The other idea behind this is to sanitize input.

23
00:01:38,150 --> 00:01:45,500
Remember when we had the single quote and we had the one equals one type statement and that should never

24
00:01:45,500 --> 00:01:46,160
happen right.

25
00:01:46,190 --> 00:01:52,580
So if we have that kind of statement that should be sanitized and you could sanitize all the way down

26
00:01:52,580 --> 00:02:00,740
to very specifics like you should not have the like a single quote in there or you can specify entire

27
00:02:00,740 --> 00:02:06,590
statements like the single quote or one equals one dash dash for example you could take that entire

28
00:02:06,590 --> 00:02:10,330
statement say hey that's suspicious I'm going to sanitize that.

29
00:02:10,370 --> 00:02:18,170
So ensuring that the input that is provided is not malicious is important as well but we can prevent

30
00:02:18,170 --> 00:02:25,250
it here entirely with premature statements by ensuring that the parameters are sent separately.

31
00:02:25,250 --> 00:02:26,020
Right.

32
00:02:26,030 --> 00:02:28,010
So that's really the big takeaway here.

33
00:02:28,010 --> 00:02:33,680
If you're asked on an interview how you can do this parameter statements should be your first answer.

34
00:02:33,680 --> 00:02:39,980
You can also talk about sanitizing input that would go over well as well but we're after no one here

35
00:02:39,980 --> 00:02:41,400
or we're interviewing.

36
00:02:41,420 --> 00:02:43,700
So that's it for here.

37
00:02:43,700 --> 00:02:48,170
We're going to go ahead move on to the next attack and I will see you over in the next video.