Basic PHP sql injection question

I have been doing a bit of research on SQL injections and so far all I can see is when you are concatenating query strings with variables, you have problems.

My question(s) is/are:

If I have this code:

$query  = "SELECT id, name, inserted, size FROM products";
$result = odbc_exec($conn, $query);

Am I subject to sql injection? I didn't think so but I found a post on stackoverflow that indicated that it was.

Now if I have this code:

$variable = "name";
$query = "SELECT"' .$variable. ' FROM products";
$reulst = odb开发者_Go百科c_exec($conn, $query);

Am I still stubject to injection? It seems to me that I have full control of that variable and the code is run on the server side so that would be safe. Is this correct?

Thanks in advance for any input!

SQL injection is usually a problem if you have input from a source you can't trust. Seeing as this is the case in neither of your examples, you're fine as far as malicious attacks go.

However, it is good practice to escape $variable before inserting it into the query string even if you control it.

You are prone to sql injection if you allow any user input into your queries at all. With the two examples provided, nothing is being input from the user, so these are both safe.

The first query is not subject to injection as there are no dynamic parts to it.

The second is. Even if you think you have full control over your variable, if you are using user supplied data (whether coming from form sumbit, cookies etc...), you can be vulnerable.

Always use parameterized queries through a SQL library that will ensure data is safely escaped.

The only case when a query can get exposed is when parts of it are passed from input.

$variable = $_GET["name"];
$query = "SELECT " .$variable. " FROM products";  // now things can get bad
$reulst = odbc_exec($conn, $query);

One correct way of using input variables inside a query would be to escape them:

$variable = addslashes($_GET["name"]); // sanitizing input
$query = "SELECT " .$variable. " FROM products";  // all good here
$reulst = odbc_exec($conn, $query);

The issue is "where do the values of your variables come from?" If you are using user-submitted data in a query, then you need to be careful how you use it. In your case, you're safe as far as I can tell.

For the first example, no, you won't be subject to any SQL injection because there is nothing a user could input to change your query.

In the second case, you're only subject to injection if $variable is derived from some user input.

Any time you take user input straight into your $query you are susceptible to sql injection. The first code you show is fine, its a straight query, there is no way for the user to input any harmful code.

$query  = "SELECT id, name, inserted, size FROM products";
$result = odbc_exec($conn, $query);

But the second code snippet (if $variable is taken from a form ) anyone could enter in harmful code and kill your database.

$variable = $_POST['name']; **for instance, this would be bad!
$query = "SELECT"' .$variable. ' FROM products";
$reulst = odbc_exec($conn, $query);

How does $variable get its value?