Menu
Is it possible to send a POST request with SQL Injection without using any form ? supposing an application use GET methods with id params to check on the database if that id exist, can it be done if we would use POST method instead ?
715
asked May 19 '26 07:05
SQL injection can happen through any mechanism where user data ends up directly in the query. It doesn't depend on GET vs. POST, and it doesn't even depend on HTTP.
You can SQL inject with OCR. You can SQL inject with barcodes. You can SQL inject any time someone is careless and doesn't properly escape data.
This is why it's important to use prepared statements with placeholder values for all your queries.
175
Why would there be any difference between the safety of GET vs. POST data?
$sql = "SELECT * FROM products WHERE id = {$_GET['id']}";
vs.
$sql = "SELECT * FROM products WHERE id = {$_POST['id']}";
In both cases, it's untrusted content, and this is not safe to interpolate into your SQL query.
Use query parameters. Then you don't need to worry about where the data came from.
$sql = "SELECT * FROM products WHERE id = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute( [ $_POST['id'] ] );
Using query parameters is easy and safe!
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
