If I have a query like this, [syntax=sql] SELECT `name`, `content`, `subtext`, `isBlog`, `isHome` FROM `pageinfo` WHERE `name` = '{$_GET['page']}' [/syntax]
And I would obviously have like, index.php?page=Home, now for my question, are there any vulnerabilities for this? Could some do DROP TABLE table_name? If so, how do I prevent it?
I think that only works with MSSQL or something. But as it is this would be vulnerable to SQL injection. You need to escape the data that goes in to the query
//QUERY TO GET INFO FROM INDEX.PHP?PAGE=$NAME $mysql->query(" SELECT `name`, `content`, `subtext`, `isBlog`, `isHome` FROM `pageinfo` WHERE `name` = '{$get_page}' ");[/syntax] Since I'm stripping it before using it in the query, I tried having it above but that gives an undefined index.