Today, out of curiosity, I googled for
php mysql email register. This returns tutorials, how-tos, code snippets. Most results include flawed DB statements. This usually means something like
// Don't do this! mysqli_query("SELECT * FROM user WHERE id = '" . $_POST["user'] . "'");
Here is the detailed breakdown. The articles are listed in the order they were suggested to me. I omitted unrelated articles or ones behind a paywall.
- All parameters in SQL queries are escaped categorically
- Incoming data is only escaped where absolutely necessary
- Author attempted some escaping but vulnerability found
- No escaping logic whatsoever
|8||3||link||YouTube||This is part 1 of a series of 3. Part 1 is fine, but there are problems in part 2, as well as part 3 here and here and here|
|9||4||link||morioh||Redirects you to tutsmake.com where the code is to be found|
|22||2||link||developphp||Uses custom RegExes mostly|
I skipped to the next article as soon as I found at least one injection-prone line. There are of course more issues to be found across all 30 results, this is just the result of me quickly skimming them all specifically for sql injection.
Main takeaway for me personally is the dreadful quality of the majority of Google's search results. Several of these results were, simply put, SEO-optimized baloney.