So I was wondering is this enough to be safe that user won't do any SQL injections and the number will be only and always integer? The $id in getArticle function is binded to SQL query.
<?php $id = (isset($_GET['id']) && is_int((int)$_GET['id'])) ? (int)$_GET['id'] : false ?>
<?php $news = $class->getArticle($id) ?>
As far I tested it worked fine, but as I'm not totally sure I rather ask you guyz! Ok, people say prepared statements would do the trick. They really would? Like, can I be totally sure that if bind param as integer it will be integer nothing else?
Thanks in advance!
Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. This can be accomplished in a variety of programming languages including Java, . NET, PHP, and more.
How to prevent SQL injection attacks. Avoid placing user-provided input directly into SQL statements. Prefer prepared statements and parameterized queries, which are much safer. Stored procedures are also usually safer than dynamic SQL.
PHP's htmlspecialchars function is for escaping characters that have special meaning to a browser, such as angle brackets, to make them appear as normal characters instead of being interpreted as HTML markup. It has nothing to do with SQL or preventing SQL injection.
Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.
You can simply type cast them to proper type:
$number = intval($_GET['id']);
$string = mysql_real_escape_string(strval($_GET['str']));
To make sure that you get what you are expecting.
The better solution is to use Prepared statements to avoid sql injection.
Use prepared statements. There is no reason NOT to use them. Then you don't have to ask "Is this good enough?"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With