[Solved] How is this code in PHP vulnerable to SQL Injection?

Question

First, $email = filter_input(INPUT_GET, 'email'); does nothing it’s the same as $email = filter_input(INPUT_GET, 'email', FILTER_DEFAULT);, and FILTER_DEFAULT is documented as “do nothing”.

Second, PDO’s Query function does appear to support multiple statements (albeit in a rather annoying to use manner, and I can’t say I’ve personally played with it). PHP PDO multiple select query consistently dropping last rowset

Third, even without multiple statement support, $email could be populated with something like [email protected]' OR username="admin to return data you didn”t plan on returning to the user.

Fundamentally: stop worrying about whether bad code is exploitable, and start writing good code instead. Start using properly prepared statements and don’t worry about injection anymore.

Accepted Answer

First, $email = filter_input(INPUT_GET, 'email'); does nothing it’s the same as $email = filter_input(INPUT_GET, 'email', FILTER_DEFAULT);, and FILTER_DEFAULT is documented as “do nothing”.

Second, PDO’s Query function does appear to support multiple statements (albeit in a rather annoying to use manner, and I can’t say I’ve personally played with it). PHP PDO multiple select query consistently dropping last rowset

Third, even without multiple statement support, $email could be populated with something like [email protected]' OR username="admin to return data you didn”t plan on returning to the user.

Fundamentally: stop worrying about whether bad code is exploitable, and start writing good code instead. Start using properly prepared statements and don’t worry about injection anymore.