Overview
Shows how interpolating user input into SQL queries without sanitization allows attackers to exfiltrate data.
Vulnerable Code
// vuln_sql.php
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = '$id'";
$result = mysqli_query($conn, $query);
Exploit Demo
Example URL: ?id=-1' UNION SELECT 1,username,3 FROM users--
Secure Code
// sec_sql.php (prepared statements)
$stmt = mysqli_prepare($conn, "SELECT * FROM users WHERE id = ?");
mysqli_stmt_bind_param($stmt, "i", $_GET['id']);
mysqli_stmt_execute($stmt);
Remediation & Lessons
- Use prepared statements with bound parameters to prevent injection.
- Never concatenate raw user input into SQL.
- Escape output with
htmlspecialchars()when displaying.