2

I am using following method for MySQL queries:

$sql = "SELECT * FROM mytable WHERE `myTableId`=" . (int)$myId;

Is this a completely safe method or is there a way to inject some sql into the database with this method? Any better alternative?

Improve this question

6 Answers 6

Reset to default
4

It can lead to unintended consequences, e.g.

$myId = 'blahblahblah';

would result in

... WHERE myTableId=0

maybe not such a big deal in this case, but if (say) you're doing a permissions systme and "super-duper-ultra-high-level-user-with-more-power-than-god" has permission level 0, then it's a nice way to bypass security.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I don't like the example. what prevents the user from entering literal 0?
@Col. Shrapnel Nothing – and in case of MySQL the first auto-increment value of a column is always 1 (one) to prevent such mistakes…
3

If you truly want to avoid SQL injection, your best bet is to use PDO and prepared statements. check out http://www.php.net/pdo and http://www.php.net/manual/en/pdo.prepare.php

Improve this answer

2 Comments

Sure, but do you really need a prepared statement in every case? $database->exec('DELETE FROM user WHERE id = ' . (int)$uid . ';');
@feeela so to say - yes. The whole point of prepared statements is make the developer not to thing of the matter yet be safe. And it can be acheived only if used with no exceptions.
2

Thís should be perfectly save, without any drawbacks, as long as the input can be casted to int.

Improve this answer

Comments

0

make it like this

$sql="select `username` from `users` where id='$newid';";
mysql_query($sql);

here $newid is the int value. The symbol used before and after username, to get this you have to press the key just below esc .

Improve this answer

1 Comment

If you see a question where you can post the exact same answer, the correct thing to do is vote or flag the newer question as a duplicate of the older one. It's rare that the same answer is correct for two completely different questions.
-1

I would probably use sprintf instead - but I dont see that it is much different from what you are doing. Placing the integer in quotes may also help.

$sql = sprintf("SELECT * FROM mytable WHERE `myTableId`='%d'", $myId);

Should probably add that you may want to deal with the case when conversion to integer fails. So dont have a table zero.

Improve this answer

4 Comments

what does it mean - "Placing the integer in quotes may also help"? How it can help alone?
Because then it gets passed as a string to mysql rather than an integer or possible a special character that could be used for injection
Did I say that just adding quotes magically protects you from all sql injection? No I dont think I did!
I think you did. As you didn't say anything else.
-2

No need for the Int if you are just worrying about the mysql injection. To prevent mysql injection you can use mysql_real_escape_string.

What you have right now will block all mysql injection if your mysql condition is only for int but if the situation is like this:

$username = $_GET["username"];
SELECT * FROM customers WHERE username = '$username'

if the $username value is *\' OR 1* your in trouble or i should say your dead

if the $username value is *\'; DELETE FROM customers WHERE 1 or username = * your very dead + doomed

To prevent this from happening use mysql_real_escape_string

$username = mysql_real_escape_string($_GET["username"]);
Improve this answer

12 Comments

oh. that grave delusion again. mysql_real_escape_string is not for preventing injections. and your answer WILL lead to injection.
Plese read this first before you say some accusations php.net/mysql_real_escape_string
Or at least google or research first? Or you could explain me why mysql_real_escape_string will not block injection. Then I will accept that I am wrong.
if the OP will do what you say, $myId = mysql_real_escape_string($myId); he'd got the query vulnerable to sql injection. So, in your place I wouldn't say that "No need for the Int if you are just worrying about the mysql injection. To prevent mysql injection you can use mysql_real_escape_string.". For the explanation you can refer to the links you posted.
I see. Thank you guys. I learn a lot here :D Im just 17 anyway there is more for me to learn.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.