To put this into perspective using your bridge analogy - it’s more accurate to pitch it like this:
We’re building a bridge, and during the building process it becomes apparent that there is a weakness that means that anybody who knows how bridges work can bring the bridge down by pressing on it at a certain point. You are saying we should continue to build the bridge and ignore the weakness. I am saying we should solve the weakness that could bring the entire bridge crashing into the ocean before finishing work on the bridge.
I do agree with aaarrggh that you should be worried, but keep in mind, your mistake is simple to resolve and doesn’t require you to learn a new mechanism for utilizing your database (although you should at some point in the future; PDO is great, but isn’t necessary to solve your problem).
In short, he is trying to tell you to sanitize your input before using it in a SQL Query. In this particular instance you provided initially here, you need to verify the $_GET[‘id’] ONLY contains a number. That it isn’t a string of SQL commands. The best way to do this, is to use intval() on $_GET[‘id’] as I (and StarLion) described earlier.
With working on your prior threads, we built SWITCH statements to limit the input (remember those), that limited the SQL Injection for your $_GET and $_POST values. This time, we need a slightly different approach because you are working with an unknown set of IDs that you could be given, so the best course of action is to verify it is a number.
You do indeed have a lot of extra spaces, try using
It’s true that this would solve the issue for this particular query.
However, if you get into the habit of using prepared statements or pdo, this will never be an issue in the future and you always know you are safe from sql injection attacks.
It is worth spending a bit of time learning how to do this, as it will save you from potential attacks in the future.
