Using user-provided data while executing an SQL query can lead to SQL injection attacks. An SQL injection attack consists of the insertion or "injection" of a malformed SQL query via the input data given to an application. It is a prevalent attack vector and causes significant damage if the incoming data is not properly sanitized.

In the past it has led to the following vulnerabilities:

If the query contains any variable input then parameterized prepared statements should be used instead. Alternatively, the data must be properly formatted and all strings must be escaped using the mysqli_real_escape_string() function.

Bad practice

function getUser() {
    $id = $_GET['id'];

    $query = "SELECT * FROM users WHERE id = '" . $id . "'";

    $conn = getConnection();
    $result = mysqli_query($conn, $query);

    $user = mysqli_fetch_array($result);

    return $user;
}

Recommended

function getUser() {
    $id = $_GET['id'];

    $mysqli = getConnection();

    $query = "SELECT * FROM users WHERE id = ':id'";

    $stmt = $mysqli->prepare($query);
    $stmt->bindParam(':id', $id);
    $stmt->execute();

    $result = $stmt->get_result();

    return $result->fetch_assoc();
}

References

OWASP Top 10:2021 > A03 - Injection
OWASP Top 10:2017 > A01 - Injection
CWE-20: Improper Input Validation
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-943: Improper Neutralization of Special Elements in Data Query Logic

isudatateam / datateam

No ignore rules found