I have been doing a bit of research on SQL injections and so far

Question

0

Asked: May 24, 20262026-05-24T18:57:30+00:00 2026-05-24T18:57:30+00:00

I have been doing a bit of research on SQL injections and so far

0

I have been doing a bit of research on SQL injections and so far all I can see is when you are concatenating query strings with variables, you have problems.

My question(s) is/are:

If I have this code:

$query  = "SELECT id, name, inserted, size FROM products";
$result = odbc_exec($conn, $query);

Am I subject to sql injection? I didn’t think so but I found a post on stackoverflow that indicated that it was.

Now if I have this code:

$variable = "name";
$query = "SELECT"' .$variable. ' FROM products";
$reulst = odbc_exec($conn, $query);

Am I still stubject to injection? It seems to me that I have full control of that variable and the code is run on the server side so that would be safe. Is this correct?

Thanks in advance for any input!

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T18:57:31+00:00

Editorial Team

2026-05-24T18:57:31+00:00Added an answer on May 24, 2026 at 6:57 pm

SQL injection is usually a problem if you have input from a source you can’t trust. Seeing as this is the case in neither of your examples, you’re fine as far as malicious attacks go.

However, it is good practice to escape $variable before inserting it into the query string even if you control it.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have been doing a bit of research on SQL injections and so far

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply