What is wrong with this SQL query?

by 6 replies
6
Hi Warriors,

Can you please explain in simple terms why this query is wrong?

SELECT * FROM table WHERE id = $_GET['id']

Thanks!

Bret
#programming #query #sql #wrong
  • 1. "Table" is a special term. Escape table name with `quotes`
    2. $_GET['id'] is not escaped. This query can be injected.
    3. $_GET['id'] is PHP, therefore it cannot be part of the SQL query string unless you concatenate it:

    $query = "SELECT * FROM `table` WHERE id = " . $_GET['id'];
    • [ 1 ] Thanks
  • Thanks Cosmit for that detailed, yet easy to follow answer!
  • Cosmit's comment about SQL injection should not be taken lightly, as you're leaving yourself wide open here. I strongly recommend that you use PDO:
    PHP: PDO - Manual

    Get to the point where you understand the humor/horror of this:


    • [ 1 ] Thanks
    • [1] reply
    • I use prepared statements with MySQLi and I really like that syntax. Just curious, why do you choose PDO?
      • [1] reply
  • Fair enough.
Join the discussion

Next Topics on Trending Feed