be sure to read the prequel if you haven't done anything like that before:
<a href="https://www.pentesterlab.com/from_sqli_to_shell.html" rel="nofollow">https://www.pentesterlab.com/from_sqli_to_shell.html</a>
If I use sql parameters in my queries, am I still vulnerable to SQL injection? What about using a (sane) ORM?<p>Basically, is it only php apps that hand-build queries that are vulnerable to SQL injection?