== Why is this an issue?

This rule will check that:

* the sql query is not built using a concatenation
* there is at least a call to bindParm between the call to prepare and fetch on the PDO connection object


=== Noncompliant code example

[source,php]
----
$id = $_GET['id'];
try {
    $conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);    

    $stmt = $conn->prepare('SELECT * FROM myTable WHERE id = ' + $id);

    while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
        echo $row->name;
    }
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
----


=== Compliant solution

[source,php]
----
$id = $_GET['id'];
try {
    $conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);    

    $stmt = $conn->prepare('SELECT * FROM myTable WHERE id = :id');
    $stmt->bindParam(':id', $id, PDO::PARAM_INT);

    while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
        echo $row->name;
    }
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
----


== Resources

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

=== on 28 Jul 2015, 11:15:41 Ann Campbell wrote:
\[~alexandre.gigleux] isn't this just like the subtask I closed yesterday? I rolled the gist of that one into the other subtask...

=== on 28 Jul 2015, 11:25:14 Alexandre Gigleux wrote:
That's correct. Creating it as a SubTask was not correct hence why I created again as a Task. 

=== on 28 Jul 2015, 11:32:20 Ann Campbell wrote:
There's no need for this RSpec [~alexandre.gigleux]. I've already rolled the gist of it into the other subtask.

endif::env-github,rspecator-view[]