Is the following code vulnerable to SQL Injection ($mysqli is an instance of the MySQLi class)?

Is the following code vulnerable to SQL Injection ($mysqli is an instance of the MySQLi class)?

$age= $mysqli->real_escape_string($_GET[‘age’]);

$name= $mysqli->real_escape_string($_GET[‘name’]);

$query= "SELECT* FROM ‘table’ WHERE name LIKE ‘$name’ AND age= $age";

$results= $mysqli->query($query);
A . No, the code is fully protected from SQL Injection.
B . Yes, because the $name variable is improperly escaped.
C . Yes, because the $name variable and the $age variable is improperly escaped.
D . Yes, because the $age variable is improperly escaped.
E . Yes, because you cannot prevent SQL Injection when using MySQLi

Answer: D

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments