SQL Injection Vulnerability

Database query contains unsanitized user input, allowing SQL injection attacks

Quick Answer

Never concatenate user input into SQL queries. Always use PDO prepared statements with parameterized queries to prevent SQL injection.

Why This Happens

SQL injection occurs when user input is directly concatenated into SQL queries, allowing attackers to modify the query logic. They can extract data, modify records, or even drop tables. Prepared statements with bound parameters completely prevent this by separating SQL code from data.

The Problem

// VULNERABLE: Direct string concatenation
$username = $_POST['username'];
$query = "SELECT * FROM users WHERE username = '$username'";
$result = $pdo->query($query);
// Attacker: username = ' OR '1'='1

The Fix

$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->execute(['username' => $_POST['username']]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);

Step-by-Step Fix

1
Find concatenated queries
Search for SQL queries that include PHP variables via string concatenation or interpolation. These are SQL injection vulnerabilities.
2
Convert to prepared statements
Replace all dynamic SQL with PDO prepared statements using named (:param) or positional (?) placeholders.
3
Set PDO error mode
Configure PDO with ERRMODE_EXCEPTION to catch query errors: new PDO($dsn, $user, $pass, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]).

Bugsly catches this automatically

Bugsly's AI analyzes this error pattern in real-time, explains what went wrong in plain English, and suggests the exact fix — before your users even report it.

Try Bugsly free

Related Errors

PDO Query Syntax Error

Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax

PDO Connection Failed

Fatal error: Uncaught PDOException: SQLSTATE[HY000] [2002] Connection refused