top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

What is wrong with this query: "SELECT * FROM table WHERE id = $_POST[ 'id' ]"?

+3 votes
1,861 views
What is wrong with this query: "SELECT * FROM table WHERE id = $_POST[ 'id' ]"?
posted Sep 27, 2015 by Vrije Mani Upadhyay

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

It is vulnerable to SQL injection. Never use user input directly in queries.
Sanitize it first. Preferably use prepared statements (PDO) 2.
Don't select all columns (*), but specify every single column.
This is predominantly meant to prevent queries hogging up memory when for instance a BLOB column is added at some point in the future.

answer Dec 31, 2015 by Manikandan J
Similar Questions
0 votes
for($i=0;$i<=feof($getdata);$i++)
{
if (filter_var($data[$i][1], FILTER_VALIDATE_EMAIL)){
echo $data[$i][1];
$email=$data[$i][1];
$conn = mysqli_connect($dbhost,$dbuser,$dbpass, $dbname);
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}
$sql ="INSERT INTO promo_user (uid,name,email) VALUES (,'', '$email')";
mysqli_query($sql,$conn);
mysqli_close($conn);

I am using the above code but there is something wrong with it,whenever i run the code the echo is working fine but the content does go into sql table

Please help

...