If database name is $_GET, is it susceptible to sql injections? [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 8 years ago.

Improve this question

I am learning php on my own and was wondering if I would susceptible to sql injections if I make the database name a $_GET even if the normal command goes through a PDO function?

ex.

   $hostname_Database = "blocked";
        $database_Database =  $_GET['henryfor'];
        $username_Database = "blocked";
        $password_Database = "blocked";

        $dbh = new PDO("mysql:host=$hotname_Database;dbname=$database_Database", $username_Database, $password_Database);
...

Answer 1

If you allow the database name to come from $_GET you are allowing the end user to choose the database name. Normally this is a very bad idea, but for specialized applications (e.g. phpMyAdmin) that might be acceptable.

Additionally, because you're adding the name into a string with other connection information, there is nothing stopping the user from putting a ";" in the name, and then providing values for other parameters in the connection string.

So this isn't exactly the same as a SQL injection attack, but is in the same general category.

Like Waleen Khan said, you probably want to filter the database name so that only a white list of acceptable values is allowed. If that's not an option, you want to read up on if the connection string supports some kind of escaping, and either escape special characters, to filter them out.