16 of 30 Google results contain SQL injection vulnerabilities

Today, out of curiosity, I googled for php mysql email register. This returns tutorials, how-tos, code snippets. Most results include flawed DB statements. This usually means something like

// Don't do this!
mysqli_query("SELECT * FROM user WHERE id = '" . $_POST["user'] . "'");

Here is the detailed breakdown. The articles are listed in the order they were suggested to me. I omitted unrelated articles or ones behind a paywall.

Possible statuses:

1. All parameters in SQL queries are escaped categorically
2. Incoming data is only escaped where absolutely necessary
3. Author attempted some escaping but vulnerability found
4. No escaping logic whatsoever

# Status URL Site Notes 1 3 link CodeWithAwa "SELECT * FROM users WHERE email='$email' LIMIT 1"; 2 1 link envatotuts+ 3 1 link Code Boxx 4 1 link Aaraf Academy 5 3 link Webslesson WHERE user_activation_code = '".$user_activation_code."' 6 2 link CodingNepal 7 3 link YouTube Timestamp provided 8 3 link YouTube This is part 1 of a series of 3. Part 1 is fine, but there are problems in part 2, as well as part 3 here and here and here 9 4 link morioh Redirects you to tutsmake.com where the code is to be found 10 3 link Webs Codex "SELECT * FROM users WHERE otp = '$postOtp' 11 1 link CodeShack 12 1 link webtipstricks 13 4 link studentstutorial 14 4 link positronX.io 15 1 link Mage Mastery 16 1 link phppot 17 4 link TalkersCode 18 3 link OurSourceCode $query = "update users set status='1' where token='$token'"; 19 1 link DZone 20 3 link Sourcecodester mysqli_query($conn,"select * from user where userid='$user'"), Also, using htmlspecialchars() for SQL escaping everywhere 21 4 link coding cyber 22 2 link developphp Uses custom RegExes mostly 23 4 link ProgrammerSought 24 1 link Grepper 25 1 link CodeAndCourse 26 4 link w3tweaks 27 1 link Speedy Sense 28 1 link Technopoints 29 4 link Techno Smarter 30 4 link FormGet

I skipped to the next article as soon as I found at least one injection-prone line. There are of course more issues to be found across all 30 results, this is just the result of me quickly skimming them all specifically for sql injection.

Main takeaway for me personally is the dreadful quality of the majority of Google's search results. Several of these results were, simply put, SEO-optimized baloney.