![1.5 Mark Question I wo You have the following two tables in a MySQL database called it230 order statuses user PK int(11) varchar(30) PK varchar(32) varchar(32) user name You also have the following track.php page that allows a user to enter an order chtnl> <body> cforn action-track.php method-post Please enter your order number to track the status of your order cinput type-text nane-order_nunber>br> cinput type-subnit value-Track <fon> c/body </html> <?php if isset(S POST order_number1)) Sconn- mysqli connect( localhost, root, it23e) POST[order_nunber qSELECT status FROM arder statuses HERE order_nuber- Sresult nysqli query(sconn, $sql); If (mysqli-num-rows($result) > ?)( ro ysqli fetch assac(Sresult) echo Your order is: .Sron status1: else ( echo We apologize, your order was not found nysqli close($conn); 2> number and then connects to the database to return the status of that order Suppose that a user types the following into the order number field in the page 1. What will happen? [0.25 mark] 2. What do we call this type of attack? [0.25 mark] 3.Re-write track.php so, it prevents this attack. [1 mark] 1 union select concat(user_name password) as status from users;](http://img.homeworklib.com/questions/629ca400-0b50-11ec-995e-637fbb4d7c33.png?x-oss-process=image/resize,w_560)
Homework Answers
1. present database dump will cometo web page.
2.SQL Injection.
3.To avoid the sql injection attack use the prepared statements instead of normal query.....find code snippet of track .php under below.....
<?php
if(isset($_POST["ordernumber"])){
$ordernumber = $_POST["ordernumber"];
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "it230";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// prepare and bind
$stmt = $conn->prepare("SELECT status FROM order_statuses WHERE
order_number=?");
$stmt->bind_param("s", $ordernumber);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows === 0) {
echo "we apologize,your order was not found";
}
else{
$row = $result->fetch_assoc();
echo "your order is : ".$row['status'];
}
$stmt->close();
$conn->close();
?>
Most questions answered within 3 hours.
-
Where is the error in this code sequence?
String s1 = "Hello";
String s2 = "ello";...
asked 10 months ago -
Financial data for Joel de Paris, Inc., for last year
follow:
Joel de Paris, Inc.
Balance...
asked 10 months ago -
Consider this reaction:
Al2(SO4)3 (aq)+ BaCl3
(aq) Al2Cl6 (aq)- +
3BaSO4(s) . What is the...
asked 10 months ago -
Suppose that Savneet is considering increasing her
recent random sample from 20 car rentals to 40...
asked 10 months ago -
Trucks arrive at an unloading terminal at an average rate of 120
per hour.
Trucks arrive...
asked 10 months ago -
Why are methanol and ethanol completely soluble in water while
octanol is not very little soluble....
asked 10 months ago -
A facilities manager at a university reads in a research report
that the mean amount of...
asked 10 months ago -
When the CuSO4 is rehydrated by adding water to the anhydrous
compound, is this an endothermic...
asked 10 months ago -
A ray of sunlight is passing from diamond into crown glass; the
angle of incidence is...
asked 10 months ago -
A block of mass 0.249 kg is placed on top of a light, vertical
spring of...
asked 10 months ago -
how do the kidneys compensate in the presences of acidosis
a) trigger hyperventilate
b) reserve acid...
asked 10 months ago -
Question 501 pts
The rental rate of capital to the firm increases. Which of the
following...
asked 10 months ago