Jesse Orange Jesse Orange - 3 months ago 17
MySQL Question

Is this query vulnerable to SQL Injection attacks

I have been given a project to complete, in the backend there are SQL statements doing various things, as you'd expect.

In the past I have used PDO to construct SQL queries that use parameterisation to avoid injection attacks.

Whilst reading through the code I noticed many queries in the form of:

$sql = "SELECT * FROM detail WHERE email ='$email'";
$query = mysqli_query($dbcon, $sql);


With no parameterisation or cleaning of input.

Is this type of query vulnerable, should there not be some form of parameterisation and more importantly should I explain the risks involved as it seems the developer was unaware of the risk.

Answer Source

Yes it is,

But you can use this with mysqli : http://php.net/manual/en/mysqli.prepare.php

So with your data it will be like :

$prepare = $dbcon->prepare("SELECT * FROM detail WHERE email = ?");
$prepare->bind_param("s", $email);
$prepare->execute();