From 45b3dcef9ada8a52e697e10bfaaf8f7cae577546 Mon Sep 17 00:00:00 2001
From: Brian Nesbitt <brian@nesbot.com>
Date: Sun, 5 Aug 2012 00:51:09 -0300
Subject: [PATCH] Changed $id to $_GET['id']

Updated variable name in text to match code.
---
 _posts/06-01-01-Databases.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_posts/06-01-01-Databases.md b/_posts/06-01-01-Databases.md
index ad51706..c9c46c7 100644
--- a/_posts/06-01-01-Databases.md
+++ b/_posts/06-01-01-Databases.md
@@ -38,7 +38,7 @@ $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
 
 This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a
 heartbeat. Just imagine if a hacker passes in an inventive `id` parameter by calling a URL like
-`http://domain.com/?id=1%3BDELETE+FROM+users`.  This will set the `$id` variable to `id=1;DELETE FROM users`
+`http://domain.com/?id=1%3BDELETE+FROM+users`.  This will set the `$_GET['id']` variable to `id=1;DELETE FROM users`
 which will delete all of your users! Instead, you should sanitize the ID input using PDO bound parameters.
 
 {% highlight php %}