If database name is $_GET, is it susceptible to sql injections?

Question

I am learning php on my own and was wondering if I would susceptible to sql injections if I make the database name a $_GET even if the normal command goes through a PDO function?

ex.

   $hostname_Database = "blocked";
        $database_Database =  $_GET['henryfor'];
        $username_Database = "blocked";
        $password_Database = "blocked";

        $dbh = new PDO("mysql:host=$hotname_Database;dbname=$database_Database", $username_Database, $password_Database);
...

[`You already asked this`](http://stackoverflow.com/q/21536011/) (which you now deleted). — Funk Forty Niner, Feb 03 '14 at 19:58
Regardless of whether or not it is, you should check it against a strict whitelist just in case. — Waleed Khan, Feb 03 '14 at 19:58
Not if you properly escape things. But why on *Earth* do you want to do this? — TypeIA, Feb 03 '14 at 19:58
@dvnrrs can you expand on that? I'm really interested to find out. — user2495313, Feb 03 '14 at 20:00
`mysql:host=$hotname_Database` You won't be able to connect to it anyway. ;) — The Blue Dog, Feb 03 '14 at 20:01
odd and dangerous to want to pass a db name in the url. cant you store that information in a file? — , Feb 03 '14 at 20:02
possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Marc B, Feb 03 '14 at 20:03
**ANYTHING** external you stuff into a query string makes the string susceptible to injection attacks. doesn't matter if it came from $_GET, something you wrote, or something you just retrieved from the db not 3 line of code ago. — Marc B, Feb 03 '14 at 20:04
You have a point there. @Dagon - I guess I'll have to wait my turn then. — Funk Forty Niner, Feb 03 '14 at 20:05
@Fred-ii-: For some of the people I have to deal with, the time of day is completely irrelevent. — The Blue Dog, Feb 03 '14 at 20:08
I know what you mean. Some don't even know what "daylight" looks like. It's like there's never any light being emitted. @PeteR - Meaning, they're not the brightest bulb in the socket; a bit dim. — Funk Forty Niner, Feb 03 '14 at 20:11
Oh, is it tea time already? Oh well, will you lookah dat! @Dagon — Funk Forty Niner, Feb 03 '14 at 20:16

score -1 · Accepted Answer · answered Feb 03 '14 at 20:20

If you allow the database name to come from $_GET you are allowing the end user to choose the database name. Normally this is a very bad idea, but for specialized applications (e.g. phpMyAdmin) that might be acceptable.

Additionally, because you're adding the name into a string with other connection information, there is nothing stopping the user from putting a ";" in the name, and then providing values for other parameters in the connection string.

So this isn't exactly the same as a SQL injection attack, but is in the same general category.

Like Waleen Khan said, you probably want to filter the database name so that only a white list of acceptable values is allowed. If that's not an option, you want to read up on if the connection string supports some kind of escaping, and either escape special characters, to filter them out.

Is there something wrong with my answer? – Tim Feb 08 '14 at 05:20 — Tim, Feb 08 '14 at 05:20

If database name is $_GET, is it susceptible to sql injections?

1 Answers1