<<< Previous question <<< Question ID#0716.md >>> Next question >>>
What is wrong in the following code (assume that $db is an instance of mysqli, mytable exists and has a column called student):
$sql = "SELECT student FROM mytable WHERE student = '$_POST["student"]'";
if ($result = $db->query($sql)) {
while($row = $result->fetch_object())
echo $row->student;
}- A) The script is vulnerable to SQL Injection
- B) Nothing is wrong
- C) An XSS atack
- D) It is not PHP 7 valid code
Answer
Answer: D