8

I have an application that takes data via a POST request. I am using this data to insert a new row into the database. I know that using mysql_real_escape_string() (plus removing % and _) is the way to go for strings, but what about integer values? Right now, I am using the PHP function intval() on them.

However, I wanted to make sure that intval() is perfectly safe. I can't see a way of an attacker preforming a SQL injection attack when the variables are run through intval() first (since it always returns an integer), but I wanted to make sure this is the case from people that have more experience than I.

Thanks.

Improve this question
2
  • Heads up: If you're dealing with numbers larger than 32 or 64 bits (depending on your platform) intval() will return zero. This is obviously undesirable if you're attempting to store very large numbers in your database. For example, facebook's ids haven't fit in 32 bits for years developers.facebook.com/blog/post/45 Commented Jul 8, 2010 at 21:46
  • @Frank Farmer: Hm.. that's interesting. Thanks for the heads up. I'll look into what we can do to solve that problem, if it is needed. Commented Jul 8, 2010 at 21:50

4 Answers 4

Reset to default
25

Yes, intval() is safe. There is absolutely no way to perform an SQL injection when the parameter is converted to integer, because (obviously) the format of an integer does not allow putting SQL keywords (or quotes, or whatever) in it.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Okay, that's what I thought. Thank you.
You could also use (int)$id because casting is much faster than using the intval($id) function. Check: hakre.wordpress.com/2010/05/13/php-casting-vs-intval
Are you sure? Cause intval is a lot permissive on what it takes as an input parameter. This code produces correct integer results but I would never want such values inside my queries : $var = "123TYPE_JUGGLING"; var_dump( is_numeric($var)); var_dump( (int)$var); var_dump(intval($var));
intval always return int, why would you not?
4

The easiest way to prevent SQL injection is to always use prepared statments. Use the mysqli libraries or better yet an ORM such as doctrine etc.

Your queries then become something like:

$stmt = $db->prep_stmt("select * from .... where userid = ? and username = ?");

/* Binding 2 parameters. */
$stmt->bind_param("is", $userid, $username);

$userid = 15;
$username = "don";

/* Executing the statement */
$stmt->execute( ) or die ("Could not execute statement");
Improve this answer

2 Comments

+1 for prepared statements. However, I'd still validate the user-input data prior to executing an insert in order to avoid a SQL exception. Unless, of course, the ORM or framework was doing that for me.
Unfortunately, prepared statements are not available for this particular project.
2

I always do

$var = (int)$_POST['var'];

to make sure $var is handled as an integer in all circumstances, and never look at $_POST['var'] again. Looking at the manual, intval() does exactly the same.

Whichever way you go, in subsequence $var will be an actual integer, which is quite safe to handle.

Improve this answer

Comments

2

Prepared statment is best way to deal sql injection. or use PDO otherwise, intval is better than is_numeric

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.