ansaurus

Question

Answer 1

+4 A:

Yes. Casting to int prevents all the nasty SQL injection possibilities.

If the variable were a string, you should use prepared statements to pass it.

$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql);
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();

Scytale 2010-08-12 17:38:39

Answer 2

A:

You must escape table and field names in query:

$dbh->query("SELECT * FROM `recipes` WHERE `id=`'".(int)$id."'");

Alexander.Plutov 2010-08-12 17:39:11

two mistakes in attempt to improve... :-O

Col. Shrapnel 2010-08-12 17:41:24

It's not a *must* unless it's a keyword, but yes, it is good practice to do it anyway.

casablanca 2010-08-12 17:42:24

Answer 3

+2 A:

Since you are already using PDO, a better approach will be to use:

Prepared Statements

This is much better:

$dbh->prepare("SELECT * FROM recipes WHERE id = ?");
$dbh->bindParam(1, (int) $id);
// more code.....

Sarfraz 2010-08-12 17:39:35

So if I use them, I do not need to worry about sanitizing anything?

Michael 2010-08-12 17:42:02

@Michael: Sanitalizing is still always a good idea but prepared statements are far more better in order to prevent sql injection.

Sarfraz 2010-08-12 17:43:50

@Sarfraz, I heard that PDO takes care of it by default. Isn't that so?

Michael 2010-08-12 17:45:46

@Michael: unless you use prepared statements out of the PDO.

Sarfraz 2010-08-12 17:46:58

Answer 4

A:

Since you specifically cast $id to an integer, it is safe. For a string (or any other data type) you need to escape it before executing the query; have a look at PDO::quote.

casablanca 2010-08-12 17:40:49

Answer 5

A:

Yes, bind to a integer is enough to prevent SQL Injection if the parameter is expected as a integer.

You can also use an Automatic SQL Injection Tool to detect it.

Yale 2010-08-19 00:47:35

ansaurus

tags:

views:

answers:

Is this query injection proof?

related questions