Is (int) and is_int() secure to protect against SQL injections?
So I was wondering is this enough to be safe that user won't do any SQL inj开发者_C百科ections and the number will be only and always integer? The $id in getArticle function is binded to SQL query.
<?php $id = (isset($_GET['id']) && is_int((int)$_GET['id'])) ? (int)$_GET['id'] : false ?>
<?php $news = $class->getArticle($id) ?>
As far I tested it worked fine, but as I'm not totally sure I rather ask you guyz! Ok, people say prepared statements would do the trick. They really would? Like, can I be totally sure that if bind param as integer it will be integer nothing else?
Thanks in advance!
You can simply type cast them to proper type:
$number = intval($_GET['id']);
$string = mysql_real_escape_string(strval($_GET['str']));
To make sure that you get what you are expecting.
The better solution is to use Prepared statements to avoid sql injection.
Use prepared statements. There is no reason NOT to use them. Then you don't have to ask "Is this good enough?"
I can't think of any way how this can be used for an SQL-Injection. So I would say it's secure enough.
just use:
$id=(int)@$_GET['id'];
if $_GET['id'] is not set $id will be 0.
if you want to test if id is correctly set use:
if ($id=(int)@$_GET['id']){
//
} else {
//invalid id
}
精彩评论