I’ve recently come across the SQL code injection technique on https://www.w3schools.com/sql/sql_injection.asp , and have been subsequently searching for a more comprehensive website to learn how to protect my server against this technique.
My problem is that most websites refer to using PHP (Hypertext Preprocessor) Language when protecting against SQL injection.
Therefore my question is, do I need to learn PHP before I can protect against SQL Injection, or is it enough to just use SQL Parameters for Protection?
EDIT: If you’ve stumbled upon this trying to prevent SQL injection using PHP, then thought I might add this web link to a website that has taught me how to do so:
I don’t think it’s as simple as not executing code from the user, for example take a user log in. The user has to input values in order to gain access, and I myself have to grant access to users with valid credentials.
That’s what SQL injection is. The user writes a value, what they write gets included in the query, and the whole thing gets executed, including what the user wrote. Bad separation between data and code.
The user input might be supposed to go between quotes, but if the user includes a quote, then they broke out of their string, and the rest of that user input is now treated as code.
Similarly, a program might let you store data, but not run commands. But if you find a way to get the program to execute in the memory location where the data is (typically by exceeding some limit a programmer thought was high enough but isn’t enforcing), then you can run commands anyway.
Someone I wrote a bot with wanted to convert text to integers, so they executed the text – it was possible to control the bot’s computer by chatting.