Simple isnāt always best. Thatās how I thought too when I was beginning PHP back in 2010. But I was totally wrong. Also that isnāt filtering. Thatās just rewriting the URL to be pretty. Like
/spaceshiptrooper
instead of
/?id=224625
Apache isnāt the package that is going to be dealing with user inputs. Itāll be PHP who is doing it. And thus will bring us to prepared statements.
Prepared statement is suppose to separate user input from SQL statement. If you deliberately stuff your variable in your SQL statement, someone can actually hack your website with ease. And it would really suck to be your users who are storing their personal information on your website. They could get their credit card stolen, identity theft, and if possible, you could face criminal charges if it gets even that far. Thatās only if a user gets really out of hand and calls the FBI on you. Not sure if thatāll happen, but it could be possible since peopleās personal information are being stored where there is no security at all.
Anyways, back on topic. When you use prepared statements, you arenāt deliberately stuffing your user input into your SQL statement and it separates user input from code.
So if someone wanted to use this line as their input
' UNION SELECT 1, 2, 3, ā¦, n --
It will be nothing more than just a string that has no meaning. But if you donāt use prepared statements, PHP will assume that
' UNION SELECT 1, 2, 3, ā¦, n --
Is part of your SQL statement thus it might select all your tables from your database and display every single entry you have stored in what ever database you are using to a random user.
You can actually just do a Google search on it.
https://www.google.com/search?q=php+sql+injection
Heard of Bobby Tables?
As per your second question. It doesnāt actually matter. If you want to redirect the user to a 404 page, thatās fine. Same thing with displaying it to them right from the page. Itās basically the same thing in a way since you are still displaying a 404 error message.