Avatar of Jaber Ahmad
Jaber Ahmad
Flag for Côte d'Ivoire asked on

SQL security vulnerability

Hello everyone,

Merry Christmas and Happy new year !

I just realized that my site has a security hole and is asking for your help.
Indeed, when I change the parameter of my link by adding an apostrophe at the end, I encounter an SQL error:
https://domain.com/product.php?key=COLOGNE%27

<b> Fatal error </b>: Uncaught PDOException: SQLSTATE [42000]: Syntax error or access violation: 1064


   if(isset($_GET['key'])){
      $key = htmlspecialchars($_GET['key']);

      $res = $pdo->query("SELECT * FROM tab_produits WHERE libelle_tag='".$key."'");
      $data = $res->fetch(PDO::FETCH_ASSOC);

      if($data != 0) {
         echo $data["libelle_".LANGUE];
      } else {
         echo NOS_RECOMMANDATIONS;
      }
   }

Open in new window

Can you please help me correct this code so that this flaw is gone?
Thank you for your help

SQLSecurityPHP

Avatar of undefined
Last Comment
Jaber Ahmad

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Kyle Abrahams

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
arnold

Never pass $key directly from the form without first encoding it

https://www.php.net/manual/en/function.mysql-real-escape-string.php from earlier version that has been replaced with
https://www.php.net/manual/en/pdo.quote.php

this is what sql injection vulnerability is.
Jaber Ahmad

ASKER
Thank you very much for your help!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy