• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 398
  • Last Modified:

PHP/MySQL Query and SQL Injection

Is this a really bad query?

SELECT * FROM categories WHERE categoryID = 5

Could something like this leave me vulnerable to SQL Injection?  How do I prevent it?  I'm using Dreamweaver to create my PHP pages and then customizing when necessary.  
0
ssailer
Asked:
ssailer
  • 2
2 Solutions
 
slyongCommented:
Well the query itself is not vulnerable to SQL Injection.  However, if you are doing your PHP like this:

$query = "SELECT * FROM categories WHERE categoryID = " . $catID;

There is a possibility that someone put in a query string to do the injection.  A fast way to prevent SQL injection would be:

$catID = mysql_real_escape_string($catID);
$query = "SELECT * FROM categories WHERE categoryID = " . $catID;

0
 
ssailerAuthor Commented:
So, if I enter a fixed value, instead of a parameter, it should be okay?
0
 
slyongCommented:
Yup
0
 
ncollingsCommented:
If the query is hard coded in your php and non of the parameters come from the browser then it would be very difficult to exploit.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now