By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,985 Members | 1,861 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,985 IT Pros & Developers. It's quick & easy.

sql injection hi

omerbutt
100+
P: 638
all,
i was learning the sql injection prevention and after learning it , wanted to see my current code what if it could have an sql injection
here is one of the statements i have in my code
Expand|Select|Wrap|Line Numbers
  1. $bung_id=$_GET['bung_id'];
  2. $q_B="SELECT * FROM bungalows WHERE bungalow.bung_id='$bung_id'";
  3. $r_B=execute($q_B);
  4.  
this statement executes on a page where i am trying to show a record by posting a query string
Expand|Select|Wrap|Line Numbers
  1. http://localhost/site/bungalowdetail.php?bung_id=12
  2.  
now can this statement be vulnerable to SQL injection like can some body inject a drop dtaabase or table statement through this query string ?
regards,
Omer Aslam
Sep 17 '11 #1
Share this Question
Share on Google+
1 Reply


Rabbit
Expert Mod 10K+
P: 12,349
Yes, that is vulnerable to SQL injection. Use the prevention technique you learned.
Sep 17 '11 #2

Post your reply

Sign in to post your reply or Sign up for a free account.