From de8cef6c7d0bb68591018f4d07fcddcff322a14a Mon Sep 17 00:00:00 2001
From: christian studer <cstuder@existenz.ch>
Date: Mon, 30 Jun 2014 13:37:13 +0200
Subject: [PATCH] Typo and missing link for SQL injections

---
 _posts/07-01-01-Databases.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_posts/07-01-01-Databases.md b/_posts/07-01-01-Databases.md
index 7d16f2a..a314cfa 100644
--- a/_posts/07-01-01-Databases.md
+++ b/_posts/07-01-01-Databases.md
@@ -61,7 +61,7 @@ $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
 {% endhighlight %}
 
 This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a
-heartbeat, using a practice called [SQL Injecton]. Just imagine if a hacker passes in an inventive `id` parameter by calling a URL like
+heartbeat, using a practice called [SQL Injection](http://wiki.hashphp.org/Validation). Just imagine if a hacker passes in an inventive `id` parameter by calling a URL like
 `http://domain.com/?id=1%3BDELETE+FROM+users`.  This will set the `$_GET['id']` variable to `1;DELETE FROM users`
 which will delete all of your users! Instead, you should sanitize the ID input using PDO bound parameters.