ansaurus

Question

Answer 1

A:

I can't think of any way how this can be used for an SQL-Injection. So I would say it's secure enough.

jigfox 2010-06-30 14:51:21

Answer 2

+7 A:

You can simply type cast them to proper type:

$number = intval($_GET['id']);
$string = mysql_real_escape_string(strval($_GET['str']));

To make sure that you get what you are expecting.

The better solution is to use Prepared statements to avoid sql injection.

Sarfraz 2010-06-30 14:51:47

Ref: http://php.net/manual/en/function.mysql-real-escape-string.php

T.J. Crowder 2010-06-30 14:53:01

Agree, why not just use *Prepared statements* and forget about parameter checking.

Ivan Nevostruev 2010-06-30 14:53:25

Yes, as I said I later bind the params to sql query, but does it really will do what it has to do? I mean: bind_param('i', $id); will do the trick?

Richards 2010-06-30 14:59:36

I've it like that now, but I was unsure that it would validate the param..

Richards 2010-06-30 15:00:03

Answer 3

+1 A:

just use:

$id=(int)@$_GET['id'];

if $_GET['id'] is not set $id will be 0.
if you want to test if id is correctly set use:

if ($id=(int)@$_GET['id']){
  //
} else {
  //invalid id
}

codez 2010-06-30 15:06:49

Answer 4

+3 A:

Use prepared statements. There is no reason NOT to use them. Then you don't have to ask "Is this good enough?"

Andy Lester 2010-06-30 15:10:46

Is (int) and is_int() secure to protect against SQL injections?