I am thinking of an example like this:
The request gets to the page at the URL (using some means) with the parameter. example.com/api/page?name=bob. I understand that you have to make a prepared expression to get the parameter $_POST[name]and make sure that it is not something scared, but it does it by evaluating the expression.
My first question is: how to do this (evaluate the expression)?
My second question: What if the user enters something in the line "SELECT * FROM users" or "DROP TABLE users", which is passed to the parameter $_POST['name']( ?name=bobat the end), what will happen in this case?
As an example, the final request will look like
SELECT name, continent FROM world
WHERE continent IN
(SELECT continent FROM world WHERE name='Brazil')
the second choice acts as a user input parameter - therefore it $_POST['name']contains this requestSELECT continent FROM world WHERE name='Brazil'
Finally, the third question I have is, how can I protect against something like that?
I assume PDO is specifically designed to prevent a request in a request (?), But after reading a bit, I'm still quite confused.
I am still studying all this, so if I am not clear or detailed enough in my request, please let me know and I will try to address this.
EDIT:
To eliminate the confusion, I do the following:
$pdo = new PDO('..');
$sql = 'SELECT id FROM users WHERE username = :username';
$statement = $pdo->prepare($sql);
$statement->bindParam(':username', $_POST['username']);
The question is, what if it $_POST['username']contains 'SELECT * FROM users'(or any other request)? How does it work prepare()? Can I describe if this is really a security hole? I need help understanding this.