Link to home
Start Free TrialLog in
Avatar of Jaber Ahmad
Jaber AhmadFlag for Côte d'Ivoire

asked on

SQL security vulnerability

Hello everyone,

Merry Christmas and Happy new year !

I just realized that my site has a security hole and is asking for your help.
Indeed, when I change the parameter of my link by adding an apostrophe at the end, I encounter an SQL error:
https://domain.com/product.php?key=COLOGNE%27

<b> Fatal error </b>: Uncaught PDOException: SQLSTATE [42000]: Syntax error or access violation: 1064


   if(isset($_GET['key'])){
      $key = htmlspecialchars($_GET['key']);

      $res = $pdo->query("SELECT * FROM tab_produits WHERE libelle_tag='".$key."'");
      $data = $res->fetch(PDO::FETCH_ASSOC);

      if($data != 0) {
         echo $data["libelle_".LANGUE];
      } else {
         echo NOS_RECOMMANDATIONS;
      }
   }

Open in new window

Can you please help me correct this code so that this flaw is gone?
Thank you for your help

ASKER CERTIFIED SOLUTION
Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Never pass $key directly from the form without first encoding it

https://www.php.net/manual/en/function.mysql-real-escape-string.php from earlier version that has been replaced with
https://www.php.net/manual/en/pdo.quote.php

this is what sql injection vulnerability is.
Avatar of Jaber Ahmad

ASKER

Thank you very much for your help!