Category BUG: SQL Injection
$sql = “SELECT * FROM table WHERE field =‘$_GET[\“input\”]’”;
$sql = “SELECT * FROM table WHERE field =” . $_GET[“input”];
mysql_query(“SELECT SomeStoredProcName(‘$_GET[\“input\”])’”);
mysql_query(“SELECT SomeStoredProcName( '” . $_GET[“input”] . "') ");
Don’t be using $_GET or user input directly in SQL statements.
User inputed needs to be filtered validated and doubled checked.
Never trust anything.
Two threads merged
Have a look at https://www.owasp.org/index.php/Top_10_2010-A1
Always quote the input before using it in a where statement.
Remove any null characters (character code 0).
If the field you are searching against in the where clause is a numeric then strip out any non numeric characters from the input.