0

I'm a little concerned about using the WHERE query within my PHP code, I've created the query and everything works perfectly - however i'm not the best with security issues, particularly the possibility of injections and cross-site scripting.

This is the code i'm currently using on my test site:

$sql = "SELECT address FROM shops WHERE shopname='name'"; 
if($res = mysqli_query($link, $sql)){ 
if(mysqli_num_rows($res) > 0){ ;
while($row = mysqli_fetch_array($res)){ 
echo ".....

There's no user inputs on any part of the website, if anyone can see an obvious error in my coding and has any recommendations that would be great!

Thanks in advance!

rx2347
  • 1,071
  • 1
  • 6
  • 26
  • 1
    *There's no user inputs on any part of the website* - so what are you worrying about? :) SO isn't really for doing code reviews - there's [a sister stackexchange site](http://codereview.stackexchange.com) for that – Caius Jard Mar 08 '20 at 21:39
  • It's OK now, but I'm afraid you're not being completely honest in your code. It says: `WHERE shopname='name'`, but somehow I think `name` will be replaced by something else. – KIKO Software Mar 08 '20 at 21:40
  • 1
    When you do use user input and SQL - know the rules - ref: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – danblack Mar 08 '20 at 21:44

0 Answers0