add test sql injection, add protectin agains it (lvl. 1)

Zweites Jahr/unterrichts_projekt/pdo_test.php

@@ -16,18 +16,22 @@
     $dbh = db_connect();
 
     // get data from fields:
-    $u_firstname = $_REQUEST['firstname'];
-    $u_lastname = $_REQUEST['lastname'];
-    $u_email = $_REQUEST['email'];
+    $u_firstname = $dbh->quote($_REQUEST['firstname']);
+    $u_lastname = $dbh->quote($_REQUEST['lastname']);
+    $u_email = $dbh->quote($_REQUEST['email']);
 
     // definiert den SQL befehl um
     // einen Nutzer korrekt in der DB anzulegen
-    $addUser="INSERT INTO user VALUES(
-    NULL,
-    '$u_firstname',
-    '$u_lastname',
-    '$u_email'
-    )";
+    $addUser="INSERT INTO user VALUES (
+    NULL,  
+    $u_firstname, 
+    $u_lastname,
+    $u_email   
+    );";
+
+    echo $addUser."</br>";
+
+    // TEST SQL INJECTION: '); DELETE FROM user WHERE (u_email LIKE '%
 
     // Versucht code auszufügen (try{...}) wenn das fehlschlägt
     // nimmt er sich den error und es wird anderer code ausgeführt 
@@ -48,11 +52,18 @@
         //echo "<br> Error Message: $errMsg";
         //echo "<br> Error-Code: $errCode";
 
+        $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+
+        echo "<h3>FEHLER:</h3>";
+        echo "<pre>" . $e->getCode() . ": " . $e->getMessage() . "</pre>";
+        echo "<h3>DEINE SQL:</h3><pre>" . $addUser . "</pre>";
+
         switch ($errCode) {
             case "23000": $custErrMsg = "<p>Email-Adress already exists</p>"; break;
             default: $custErrMsg = "<p>Oooooops, something went wrong!</p>"; 
         }
     }
+    
     echo $custErrMsg;
 
     // ####################################

Zweites Jahr/unterrichts_projekt/sql-injection.md

@@ -0,0 +1,9 @@
+## Test SQL Injection
+
+```sql
+INSERT INTO user VALUES(
+    NULL,
+    '$u_firstname',
+    '$u_lastname',
+    ''); DELETE FROM user WHERE (u_email LIKE '%');
+```