Is the following code vulnerable to SQL Injection ($mysqli is an instance of the MySQLi
class)? $age = $mysqli->real_escape_string($_GET[‘age’]); $name =
$mysqli->real_escape_string($_GET[‘name’]); $query = “SELECT * FROM `table` WHERE
name LIKE ‘$name’ AND age = $age”; $results = $mysqli->query($query);
A.
No, the code is fully protected from SQL Injection.
B.
Yes, because you cannot prevent SQL Injection when using MySQLi
C.
Yes, because the $age variable is improperly escaped.
D.
Yes, because the $name variable is improperly escaped.
E.
Yes, because the $name variable and the $age variable is improperly escaped.
is this because the variable $age is not between “‘”?
0
0
No because “string” $age = $mysqli->real_escape_STRING($_GET[‘age’]);
http://stackoverflow.com/questions/8387974/should-i-escape-an-expected-integer-value-using-mysql-real-escape-string-or-can
2
0