This question already has an answer here:
- How can I prevent SQL injection in PHP? 28 answers
Suppose you write the following PHP code:
$user = $_POST['user'];
$passwd = $_POST['passwd'];
$query = "SELECT * FROM users WHERE user='$user' AND passwd='$passwd'" ;
If the user enters the values 'johnsmith' and 'funnyboy12' for the fields $user and $passwd respectively, then I can understand that the query string which is passed to the SQL server will be
SELECT * FROM users WHERE user='johnsmith' AND passwd='funnyboy12'
And I can also understand that a malicious user who inputs the value admin'# for $user (and does not even bother to input any values for $passwd) will be able to send the string
SELECT * FROM users WHERE user='admin'#' AND passwd=''
to the SQL server. Because everything after the # symbol is taken as comment, the malicious user will therefore be able to gain access to the entire database as the user "admin" without even having to enter a password. But my question is this: Suppose you don't write the codes that you see at the top of this post. Suppose you directly embed your server address, your username, your password, your table name and port identifier like so:
$link=mysqli_connect("boogaloo.boomboom.edu","oceaanview101","koochykoo^%","wooky");
In that case, what sort of a string will be sent to the database? What I mean is , if you have the "SELECT * FROM users WHERE....... statement in your code, BUT you have all the personal information EMBEDDED inside the mysqli_connect() function, how will the SELECT statement know what the username is, what the password is? Can a hacker still cause mayhem if you use the embedded version, rather than $user = $_POST['user']; $passwd = $_POST['passwd'];
</div>
