SQL Injection

A SQL Injection vulnerability occurs when variables are passed directly from a web application into a query.  For example the following code inserts the $propertyID value directly into a query.

public function getEstimateList($propertyID)
    {
        return     $this->sql2array("
                           select PROPERTY_ESTIMATES_ID, PROPERTY_ID, BUSINESS_ID,
                                  ESTIMATE_YEAR, ESTIMATE_TITLE
                           from   PROPERTY_ESTIMATES
                           where  PROPERTY_ID = $propertyID
                           order  by ESTIMATE_YEAR, ESTIMATE_TITLE");
    }

This works fine when $propertyID holds a valid numeric value (12 for example) but there's nothing to stop a user passing something like:

12 or 1=1

This would be interpreted as:

where  PROPERTY_ID = 12 or 1=1

Effectively an open query.  Use bind variables to avoid the potential for SQL Injection. Example:

public function getEstimateList($propertyID)
    {
        $query = "select PROPERTY_ESTIMATES_ID, PROPERTY_ID, BUSINESS_ID,
                                  ESTIMATE_YEAR, ESTIMATE_TITLE
                           from   PROPERTY_ESTIMATES
                           where  PROPERTY_ID = :var1
                           order  by ESTIMATE_YEAR, ESTIMATE_TITLE";
         $stmt = $this->connection->prepareStatement($query);
         $stmt->setInt(1, $propertyID);
         $rs = $stmt->executeQuery();
        return $rs; 
    }

This causes the $propertyID value to be evaluated in its entirety against property_id. Passing additional conditions will cause it to fail since the PROPERTY_ID column is unlikely to hold the value "12 or 1=1".