I have a website that uses a db to store information for site users. All the mysql db calls are SELECT
. I use $_GET
to pass variables from page to page that are then used in the mysql SELECT
calls. I don't use UPDATE
or INSERT
in any of my code.
Do I have to worry about sql injection attacks? Do I have to protect the db from some other type of attack?
I'm willing to read and learn. I just don't know if it's necessary in this case.
My db queries all take the form of:
$leadstory = "-1";
if (isset($_GET['leadstory'])) {
$leadstory = $_GET['leadstory'];
}
$query_News = "SELECT * FROM news WHERE lead_story = $leadstory";
$News = mysql_query($query_News, $HDAdave) or die(mysql_error());
$row_News = mysql_fetch_assoc($News);
$totalRows_News = mysql_num_rows($News);
Are the first three lines replaced with:
$statement = $db_connection->prepare("SELECT * FROM news WHERE lead_story = ?;';");
$statement->bind_param("s", $leadstory);
$statement->execute();
$row_News = $statement->fetchAll();
What is the replacement for $totalRows_News?
Do I also have to clean the $leadstory?
Thanks for your help.
That would a be "yes", I think.
SELECT * FROM users WHERE name='hacker' or name='Admin' and '1'='1'
With the supplied name being hacker' or name='Admin' and '1'='1