-4

i'm developing a website and i'm asking if this little code is vulnerable to SQL Injection or if it's secure:

$param1 = $_GET['param1'];
$sql_news="select * from table1 where attr1 = '$param1'";

Can i stay in peace ?

Thanxs

laurent
  • 88,262
  • 77
  • 290
  • 428
Kiks777
  • 113
  • 1
  • 2
  • 9
  • 2
    Terribly insecure. – yivi Dec 26 '16 at 19:19
  • 3
    Nope. http://stackoverflow.com/questions/601300/what-is-sql-injection , http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Federkun Dec 26 '16 at 19:20
  • http://php.net/manual/en/security.database.sql-injection.php – Mário Moura da Silva Dec 26 '16 at 19:20
  • The code that you pasted is sql vulnerable... – IamK Dec 26 '16 at 19:20
  • 1
    If you want know if it's vulnerable or not you just need to learn what a sql injection is. – Federkun Dec 26 '16 at 19:20
  • Very strictly taken, this is unanswerable. Because you didn't even specify the database type. For a 7bit charset set and given an outdated PHP setup, perhaps; but not very likely. -- How in the world did you come up with this question *again*, though? I find it unlikely that not a single Google search brought up more current tutorials. – mario Dec 26 '16 at 19:32
  • why do you don't use pdo http://php.net/manual/en/pdostatement.execute.php – Eugen Dec 26 '16 at 19:32
  • Sorry for the stupid answer and thanxs for the fast replies .. do you know if addslashes() is still vulnerable ? – Kiks777 Dec 26 '16 at 19:35
  • @Kiks777 yes, it is. Use parameterized queries... or view the manual -http://php.net/manual/en/function.addslashes.php `Please note that use of addslashes() for database parameter escaping can be cause of security issues on most databases.` – chris85 Dec 26 '16 at 19:46

1 Answers1

1

No, someone could set $param1 to, for example, ' OR '1'='1, which would return the complete content of the table.

laurent
  • 88,262
  • 77
  • 290
  • 428
  • Thanxs for the reply ... i know this vulnerable, but it does not affect this parameter, i don't know why.. is it possible ? – Kiks777 Dec 26 '16 at 19:27
  • Ops sorry .. i'm so damn stupid, i understand now why it doesn't works .. sorry mate .. can i ask you if addslash() is vulnerable now? I don't know if the multi-byte vuln has been fixed – Kiks777 Dec 26 '16 at 19:31
  • Even with addslash, it would still be vulnerable. The best solution would be to use prepared statements - http://www.w3schools.com/php/php_mysql_prepared_statements.asp – laurent Dec 26 '16 at 19:58