Is this sql query vulnerable to injection?

$column = $_GET['id'];
$result = mysql_query("SELECT $column FROM table");
echo $result;

I'm building a website with开发者_Go百科 mysql and am thus trying to learn about sql injections. I assume that this code is vulnerable, but i cant seem to make a working exploit. How would i pull column 'here' from table 'example2'?

Thanks

---

Imagine $_GET['id'] was equal to something like this

* FROM anytable_i_want; -- 

the double hypen means the rest of your string is a comment ... so now the sql you're executing is:

SELECT * FROM anytable_i_want;

The single best way to protect from this kind of nonsense is the prepared statement. If you use, say the PDO interface, you do something like this:

$HANDLE = $PDO->prepare('SELECT ? FROM mytable');
$HANDLE->execute(array($_GET['id']));

now no matter what was submitted as $_GET['id'] it woudlnt have any odd effects.

mysql_real_escape_string will cover you if using my mysql_ family of functions, although there is an exploit in the wild that you may be subject to if you change the charset at runtime.

---

Take a look at PDO and the use of prepared statements to help with preventing SQL injections:

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

---

make $column something like :

" here FROM example2 -- "

---

if the following text was passed as $_GET['id'], you would have an exploit:

$_GET['id'] = '[other sql commands here]';

use either mysql_real_escape_string() or mysqli_real_escape_string() (if you are using the improved interface)