Solved

PHP/MySQL Query and SQL Injection

Posted on 2010-09-07
4
383 Views
Last Modified: 2013-12-13
Is this a really bad query?

SELECT * FROM categories WHERE categoryID = 5

Could something like this leave me vulnerable to SQL Injection?  How do I prevent it?  I'm using Dreamweaver to create my PHP pages and then customizing when necessary.  
0
Comment
Question by:ssailer
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
slyong earned 400 total points
ID: 33618731
Well the query itself is not vulnerable to SQL Injection.  However, if you are doing your PHP like this:

$query = "SELECT * FROM categories WHERE categoryID = " . $catID;

There is a possibility that someone put in a query string to do the injection.  A fast way to prevent SQL injection would be:

$catID = mysql_real_escape_string($catID);
$query = "SELECT * FROM categories WHERE categoryID = " . $catID;

0
 

Author Comment

by:ssailer
ID: 33618760
So, if I enter a fixed value, instead of a parameter, it should be okay?
0
 
LVL 24

Expert Comment

by:slyong
ID: 33618907
Yup
0
 
LVL 3

Assisted Solution

by:ncollings
ncollings earned 100 total points
ID: 33618919
If the query is hard coded in your php and non of the parameters come from the browser then it would be very difficult to exploit.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question