I have a website that uses a db to store information for site users.

Question

0

Asked: May 30, 20262026-05-30T07:59:11+00:00 2026-05-30T07:59:11+00:00

I have a website that uses a db to store information for site users.

0

I have a website that uses a db to store information for site users. All the mysql db calls are SELECT. I use $_GET to pass variables from page to page that are then used in the mysql SELECT calls. I don’t use UPDATE or INSERT in any of my code.

Do I have to worry about sql injection attacks?
Do I have to protect the db from some other type of attack?

I’m willing to read and learn. I just don’t know if it’s necessary in this case.

My db queries all take the form of:

$leadstory = "-1";
if (isset($_GET['leadstory'])) {
  $leadstory = $_GET['leadstory'];
}

$query_News = "SELECT * FROM news WHERE lead_story = $leadstory";
$News = mysql_query($query_News, $HDAdave) or die(mysql_error());
$row_News = mysql_fetch_assoc($News);
$totalRows_News = mysql_num_rows($News);

Are the first three lines replaced with:

$statement = $db_connection->prepare("SELECT * FROM news WHERE lead_story = ?;';");
$statement->bind_param("s", $leadstory);
$statement->execute();
$row_News = $statement->fetchAll();

What is the replacement for $totalRows_News?

Do I also have to clean the $leadstory?

Thanks for your help.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-30T07:59:13+00:00

Editorial Team

2026-05-30T07:59:13+00:00Added an answer on May 30, 2026 at 7:59 am

Exploits of a Mom (XKCD)

That would a be “yes”, I think.

SELECT * FROM users WHERE name='hacker' or name='Admin' and '1'='1'

With the supplied name being hacker' or name='Admin' and '1'='1

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a website that uses a db to store information for site users.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply