Jesse Orange Jesse Orange - 2 years ago 55
MySQL Question

Is this query vulnerable to SQL Injection attacks

I have been given a project to complete, in the backend there are SQL statements doing various things, as you'd expect.

In the past I have used PDO to construct SQL queries that use parameterisation to avoid injection attacks.

Whilst reading through the code I noticed many queries in the form of:

$sql = "SELECT * FROM detail WHERE email ='$email'";
$query = mysqli_query($dbcon, $sql);

With no parameterisation or cleaning of input.

Is this type of query vulnerable, should there not be some form of parameterisation and more importantly should I explain the risks involved as it seems the developer was unaware of the risk.

Answer Source

Yes it is,

But you can use this with mysqli :

So with your data it will be like :

$prepare = $dbcon->prepare("SELECT * FROM detail WHERE email = ?");
$prepare->bind_param("s", $email);
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download