' '); DROP TABLE members; --

[karagenit]

While this isn't super urgent (considering this is an "internal" form only filled out by team members) it might be something worth pointing out when you give your talk to IT.

I'm sure you're aware of this, but I didn't see a comment in the code about it (as with the hard-coded DB credentials :^) so I figured I'd mention it, as I think it's important that people learning PHP for the first time get into the right habits.

Because we're concatenating the parameters with the SQL query, it's vulnerable to an injection attack - I think PHP's MySQLi supports syntax like $con->query("INSERT INTO blah VALUES (?)", $value); such that the user input is always properly escaped.

[aryker]

I am aware of it. My plan was to introduce that after they get familiar with the initial example. It is a good idea to as comment about it though.

…

On Dec 14, 2017 8:11 PM, "Caleb Smith" ***@***.***> wrote: While this isn't super urgent (considering this is an "internal" form only filled out by team members) it might be something worth pointing out when you give your talk to IT. I'm sure you're aware of this, but I didn't see a comment in the code about it (as with the hard-coded DB credentials :^) so I figured I'd mention it, as I think it's important that people learning PHP for the first time get into the right habits. Because we're concatenating the parameters with the SQL query, it's vulnerable to an injection attack - I think PHP's MySQLi supports syntax like $con->query("INSERT INTO blah VALUES (?)", $value); such that the user input is always properly escaped. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AE4PFJNcDGuUMS-Ndu7e6ui60wPaDfs9ks5tAcc5gaJpZM4RC4nT> .