Link to home
Start Free TrialLog in
Avatar of Jaber Ahmad
Jaber AhmadFlag for Côte d'Ivoire

asked on

SQL security vulnerability

Hello everyone,

Merry Christmas and Happy new year !

I just realized that my site has a security hole and is asking for your help.
Indeed, when I change the parameter of my link by adding an apostrophe at the end, I encounter an SQL error:

<b> Fatal error </b>: Uncaught PDOException: SQLSTATE [42000]: Syntax error or access violation: 1064

      $key = htmlspecialchars($_GET['key']);

      $res = $pdo->query("SELECT * FROM tab_produits WHERE libelle_tag='".$key."'");
      $data = $res->fetch(PDO::FETCH_ASSOC);

      if($data != 0) {
         echo $data["libelle_".LANGUE];
      } else {

Open in new window

Can you please help me correct this code so that this flaw is gone?
Thank you for your help

Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMP
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Never pass $key directly from the form without first encoding it from earlier version that has been replaced with

this is what sql injection vulnerability is.
Avatar of Jaber Ahmad


Thank you very much for your help!