This question already has an answer here:
i'm developing a website and i'm asking if this little code is vulnerable to SQL Injection or if it's secure:
$param1 = $_GET['param1'];
$sql_news="select * from table1 where attr1 = '$param1'";
Can i stay in peace ?
Thanxs
</div>
No, someone could set $param1 to, for example, ' OR '1'='1, which would return the complete content of the table.