info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-12 00:33:58 +02:00
Code Issues Projects Releases Wiki Activity

Typo and missing link for SQL injections

Browse Source
This commit is contained in:
christian studer
2014-06-30 13:37:13 +02:00
parent de4495fac2
commit de8cef6c7d
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_posts/07-01-01-Databases.md
View File

@@ -61,7 +61,7 @@ $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
{% endhighlight %} {% endhighlight %}
This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a
heartbeat, using a practice called [SQL Injecton]. Just imagine if a hacker passes in an inventive `id` parameter by calling a URL like heartbeat, using a practice called [SQL Injection](http://wiki.hashphp.org/Validation). Just imagine if a hacker passes in an inventive `id` parameter by calling a URL like
`http://domain.com/?id=1%3BDELETE+FROM+users`. This will set the `$_GET['id']` variable to `1;DELETE FROM users` `http://domain.com/?id=1%3BDELETE+FROM+users`. This will set the `$_GET['id']` variable to `1;DELETE FROM users`
which will delete all of your users! Instead, you should sanitize the ID input using PDO bound parameters. which will delete all of your users! Instead, you should sanitize the ID input using PDO bound parameters.