info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-18 11:31:16 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #160 from briannesbitt/patch-4

Browse Source 
Changed $id to $_GET['id'] to match code
This commit is contained in:
Phil Sturgeon
2012-08-05 11:40:55 -07:00
parent 03a1dbd7fe 45b3dcef9a
commit 20caa7128e
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_posts/06-01-01-Databases.md
View File

@@ -38,7 +38,7 @@ $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a
heartbeat. Just imagine if a hacker passes in an inventive `id` parameter by calling a URL like heartbeat. Just imagine if a hacker passes in an inventive `id` parameter by calling a URL like
`http://domain.com/?id=1%3BDELETE+FROM+users`. This will set the `$id` variable to `id=1;DELETE FROM users` `http://domain.com/?id=1%3BDELETE+FROM+users`. This will set the `$_GET['id']` variable to `id=1;DELETE FROM users`
which will delete all of your users! Instead, you should sanitize the ID input using PDO bound parameters. which will delete all of your users! Instead, you should sanitize the ID input using PDO bound parameters.
{% highlight php %} {% highlight php %}