Today I discovered my site got hacked through SQLi injection. Even though I am using bind_param I thought this was impossible.
if($_GET['api'] == 'info')
{
$status = 'Test';
$stmt = $mysqli->prepare("INSERT INTO information(one, two, status) VALUES (?,?,?)");
$stmt->bind_param('sss', $_GET['1'], $_POST['2'], $status);
$stmt->execute();
$stmt->close();
}
What am I doing wrong?
Aucun commentaire:
Enregistrer un commentaire