I have the following code in php
$sql = "SELECT * FROM categorias WHERE categoria_id='{$_GET['id']}'";
$resultado = mysqli_query($con, $sql);
if (mysqli_num_rows($resultado) > 0) {
while ($row = mysqli_fetch_assoc($resultado)) {
//...
What will I be doing wrong
If you put the following, it would work for you using only php
$sql = "SELECT * FROM categorias WHERE categoria_id='".$_GET["id"]."'";
but it would bring you sql injection problems, you could do it this way as the link says link
Good to avoid injection issues because you do not do something like this assuming a clear number arrives.
$categoria_id = (int)$_GET["id"];
if($categoria_id > 0 && is_numeric($categoria_id)){
$sql = "SELECT * FROM categorias WHERE categoria_id=".$categoria_id;
}
ready.
There are two issues with your code, one security, one syntax.
First you allow injection of SQL code because you are not validating or filtering the GET, and it is the easiest to abuse since you only have to add ? Id = ''); DROP table users; -
I recommend using the functions filter_var or better yet: filter_input
$filteredId = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
// te devuelve el entero si pasa el filtro,
// o false si no lo pasó, entonces puedes
// rechazar la entrada o abortar
if(is_null($filteredId) || $filteredId === FALSE) {
exit('Dato no valida');
}
// ahora sí, usamos el dato filtrado
Now with the syntax issue, to interpolate the variable is correct if it is scalar (it is not an array) to do so, as in your code:
$sql = "SELECT * FROM categorias WHERE categoria_id='$filteredId'";
But if you really want to pass the member of an array, it's easier:
$sql = "SELECT * FROM categorias WHERE categoria_id='$array[id]'";
And we insist: avoid at all costs accept variables that users can manipulate, without filter or validation.