4

I have a query like this:

SELECT name FROM mytable WHERE id = $id

where $id is given from user. I do add slashed for input variable. Is it enough to only use (int)$id to prevent SQL injection? Or do I have to check $id with is_numeric before passing it to the query?

Edited: the script language is PHP.

Improve this question
2
  • I'd suggest adding 0 to the passed value, to ensure it is numeric. Maybe $value = $id + 0 and then pass $value to the query. Anything to ensure that the user's raw data is not treated like a string when you want it to be a number. Commented Jan 29, 2012 at 6:22
  • 1
    Adding slashes won't help for this variable, by the way Commented Jan 29, 2012 at 13:48

4 Answers 4

Reset to default
6

Yes, casting a variable with (int) or intval() will ensure that it the result is only a number, and has no other characters. This is a good method to defend against SQL injection attacks, but it only works for numeric variables of course.

For more detail on methods of SQL injection defense, see my presentation SQL Injection Myths and Fallacies, or the chapter in my book SQL Antipatterns Volume 1: Avoiding the Pitfalls of Database Programming.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

I'd give up on the idea of figuring out how to safely append a number to your query string, and instead simply move on to the idea of always using prepared statements. They are slighly more verbose and tedious to write, but they are much safer -- and if you get into the habit, you won't have to worry about whether you did it right in this or that case, maybe sometimes it's a number, other times it's a string, did you use the right escaping mechanism?

Improve this answer

1 Comment

Exactly, 100% correct. Prepared statements are the only comprehensive answer to this.
2

Ask the $id is it an integer and is it equal to or greater than 0. Or else a user input injection attempt will most likely be at play.

Example:

$id = ( false !== ( int )$_GET[ 'id' ] >= 0 ) ? ( int )$_GET[ 'id' ] : die( header( "Location: ./index.php" ) );

Improve this answer

Comments

-3 
function mysql_prep( $value ) {
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
    if( $new_enough_php ) { // PHP v4.3.0 or higher
        // undo any magic quote effects so mysql_real_escape_string can do the work
        if( $magic_quotes_active ) { $value = stripslashes( $value ); }
        $value = mysql_real_escape_string( $value );
    } else { // before PHP v4.3.0
        // if magic quotes aren't already on then add slashes manually
        if( !$magic_quotes_active ) { $value = addslashes( $value ); }
        // if magic quotes are active, then the slashes already exist
    }
    return $value;
}   

$username = trim(mysql_prep($_POST['username']));

Use that function to be damn safe!!! :D

Improve this answer

11 Comments

Any guesses how much help this is when the parameter is supposed to be numeric, which is what the user was asking about? You don't need to escape a parameter when it's used as a numeric value...
Numeric?? Sql injection can't be done by inputting a number! It can be done by inputting a Vulnerable STRING instead of a number.That is what the function handles.The user specifically asked for SQL injection that is why this function helps.
The parameter being submitted is being used as a number. You solution does not protect such a parameter when it is concatenated to a query and the submitted value was not only a number, but also a sql command. No quotes are needed to insert such a command here because the parameter is being used as though it is numeric.
true true.. ! But my code helps in preventing SQL Injections as a whole. Worrying about a number in SQL Injection is trivial i guess.Yes i agree..No quotes required for number input.
Your code does not protect against SQL Injection in the case the OP posts about. It escapes certain characters that are not needed to perform SQL Injection at all in this case. In this case, the OP needs to assure that the data submitted is numeric to prevent injection. Escapes/Quotes are irrelevant in this case.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.