What is wrong with this query: "SELECT * FROM table WHERE id = $

1 Answer

It is vulnerable to SQL injection. Never use user input directly in queries.
Sanitize it first. Preferably use prepared statements (PDO) 2.
Don't select all columns (*), but specify every single column.
This is predominantly meant to prevent queries hogging up memory when for instance a BLOB column is added at some point in the future.

answer Dec 31, 2015 by Manikandan J

Similar Questions

0 votes

how to write a query to select Nth row from a table in Oracle SQL?

+1 vote

How can I Optimize the speed of a MySQL Select Query?

+5 votes

What is wrong with this code line "$('#myid.3').text('blah blah!!!');"

0 votes

How to find out where a site visitor comes from?

0 votes

I want to insert a value from an array into a column of sql table, but the content is not going into the table?

for($i=0;$i<=feof($getdata);$i++)
{
if (filter_var($data[$i][1], FILTER_VALIDATE_EMAIL)){
echo $data[$i][1];
$email=$data[$i][1];
$conn = mysqli_connect($dbhost,$dbuser,$dbpass, $dbname);
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}
$sql ="INSERT INTO promo_user (uid,name,email) VALUES (,'', '$email')";
mysqli_query($sql,$conn);
mysqli_close($conn);

I am using the above code but there is something wrong with it,whenever i run the code the echo is working fine but the content does go into sql table

Please help

What is wrong with this query: "SELECT * FROM table WHERE id = $_POST[ 'id' ]"?

Your comment on this post:

1 Answer

Your comment on this answer:

Your answer

Preview