Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is (int) and is_int() secure to protect against SQL injections?

Tags:

php

sql-injection

mysqli

So I was wondering is this enough to be safe that user won't do any SQL injections and the number will be only and always integer? The $id in getArticle function is binded to SQL query.

<?php $id = (isset($_GET['id']) && is_int((int)$_GET['id'])) ? (int)$_GET['id'] : false ?>
<?php $news = $class->getArticle($id) ?>

As far I tested it worked fine, but as I'm not totally sure I rather ask you guyz! Ok, people say prepared statements would do the trick. They really would? Like, can I be totally sure that if bind param as integer it will be integer nothing else?

Thanks in advance!

like image 920
Rihards Avatar asked Jun 30 '10 14:06

Rihards

People also ask

What are the methods used to protect against SQL injection attack?

Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. This can be accomplished in a variety of programming languages including Java, . NET, PHP, and more.

What are the solution for injection attacks?

How to prevent SQL injection attacks. Avoid placing user-provided input directly into SQL statements. Prefer prepared statements and parameterized queries, which are much safer. Stored procedures are also usually safer than dynamic SQL.

Does Htmlspecialchars prevent SQL injection?

PHP's htmlspecialchars function is for escaping characters that have special meaning to a browser, such as angle brackets, to make them appear as normal characters instead of being interpreted as HTML markup. It has nothing to do with SQL or preventing SQL injection.

How do prepared statements prevent SQL injection?

Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

2 Answers

You can simply type cast them to proper type:

$number = intval($_GET['id']);
$string = mysql_real_escape_string(strval($_GET['str']));

To make sure that you get what you are expecting.

The better solution is to use Prepared statements to avoid sql injection.

like image 65
Sarfraz Avatar answered Sep 22 '22 10:09

Sarfraz

Use prepared statements. There is no reason NOT to use them. Then you don't have to ask "Is this good enough?"

like image 40
Andy Lester Avatar answered Sep 19 '22 10:09

Andy Lester
Sign in to Comment

Related questions

PHP - with require_once/include/require, the path is relative to what?
php not returning value of false
In PHP, what is the difference between hash and mhash?
How to remove values from an array whilst renumbering numeric keys
Trying to make a CodeIgniter controller called "List"
Should I really be using PDO and prepared statements?
Called child´s constant not available in static function in parent
Should you always end mysql queries with "or die?"
Expanding PHP Markdown to Accept CSS Classnames
How to generate short filenames for uploaded photos?
Is it possible to make a Category page the homepage in magento?
Zend Framework - When to use viewscripts/partials vs view helpers
unhandled errors in php
Regular Expression to match unlimited number of options
Can PHP's PDO be limited to a single query?
Zend Framework - counting rows in select clause?
SimpleXML SOAP response Namespace issues
Kohana 3 ORM - grouping where conditions with parentheses
Can I assign an array just by making it equal to another array?
PHP string manipulation: Append html class to a string

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!