Skip to content

SQL Injection #3

New issue
New issue
Open
Open
SQL Injection#3
@osok

Description

@osok
osok
opened on Aug 25, 2017

The way you are concatenating the input from the user into the SQL statements opens you up to a SQLInjection attack. If an attacker finds a SQL Injection they can do anything to the database that the user you're connected to the database as has. This includes extracting the entire database of data or even lad a shell on the database.

for more information visit: https://www.owasp.org/index.php/SQL_Injection. it is an open source community to bring awareness of application security to the masses.

Also the attack tool favored by attackers is SQLMap: http://sqlmap.org/

You can modify your code to use parameterized inputs into the SQL Statement:
http://php.net/manual/en/pdo.prepared-statements.php

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions