"SQL injection nightmare fueled by laziness"

Here is the breakdown of what hurt your score, plus a cleaned-up version you can use as a starting point. If the roast feels fair, share it. If it feels unfair, paste better code next time.

score

0.0 / 10

fixed output

6 lines

line delta

// summary

Your strongest next move is to fix the highest-severity issue first, then compare the cleanup against the original before shipping anything.

// sharing

Public roasts can land in the leaderboard. Private reviews stay out of it and are better for real code you do not want exposed.

// compare

Use the original and fixed blocks below to spot naming, logic, and structure changes quickly instead of reading the whole thing twice.

//your_submission

SqlInjectionVortex.php

<?php
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = " . $id;
$result = $db->query($query);
?>

//detailed_analysis

SQL Injection

You're directly injecting user input into the SQL query. Congratulations, you've just opened the doors to a world of SQL injection attacks. Get a security book, or better yet, a career change.

Lack of Input Sanitization

Where's the input validation? Did you just assume users would play nice? Newsflash: they won't. Sanitize, validate, and for the love of security, use prepared statements.

Potential Database Exposure

Your code is a leak waiting to happen. With no error handling and a direct query execution, you're risking exposing your database credentials. Add some error handling, and consider using an ORM or a query builder.

//suggested_fix

original: 5 lines · fixed: 6 lines

SqlInjectionVortex_fixed.php

+$id = (int) $_GET['id'];

+$query = "SELECT * FROM users WHERE id = ?";

+$stmt = $db->prepare($query);

+$stmt->bind_param("i", $id);

+$stmt->execute();

+$result = $stmt->get_result();