0

I have a PHP script that depending on the value of an id in a GET variable will retrieve different data from a mysql database. The value of the id should be a number at all times. Instead of changing my current mysql query to use PDO, would running isnumeric on the Get variable and exiting the script if it is not a number be sufficient to protect against injection in all or most cases, ie, would it still be possible for some injection sql to slip through isnumeric?

Just a humble comment on the duplicate question issue, I looked at the suggested duplicate question and think that as a beginner it might not be clear on its face that my question is an exact duplicate of that one.

Cbomb
  • 85
  • 1
  • 12

2 Answers2

1

Yes, it would protect in this case. No, it would be a really, really bad idea unless you absolutely know what you're doing and document the choice properly in comments.

There are 2 strategies towards any kind of security:

  1. Denial. Choose the lazy approach that works for the situation at hand instead of fundamentally fixing it. Now wait for the day you forgot this was your 'security', and you change the code and it becomes vulnerable all of a sudden, and kiddie porn is uploaded to your site.
  2. Professionalism. Fix the problem thoroughly, validate the inputs and protect your database layer properly, by either escaping or using prepared statements.

Choose professionalism and thank me a year from now.

Niels Keurentjes
  • 41,402
  • 9
  • 98
  • 136
  • Thanks for all comments and answers. Im gonna go ahead and use bound parameters instead. Im gonna select Niels answer for now, as he convinced me to not do it the way I was going to. – Cbomb May 06 '13 at 23:55
  • It was the kiddie porn addition that did it right? ;) But as I said, try to do both in most cases. First validate the input with `isnumeric` so you can throw a clean error, then protect your database with prepared statements or escaping as you *always* should do anyway when working with untrusted input. – Niels Keurentjes May 06 '13 at 23:57
  • Well, the thought of having kiddie porn on the site I am trying to build with the audience it is intended to have (lawyers), would be pretty horrific. And the point of having it protected now but broken in the future is a good one. – Cbomb May 07 '13 at 00:29
  • A good answer, but actually it should be the note about future changes that should ring the bell. Maybe it's even a fellow coder that will use your script and doesn't know your original thoughts. – martinstoeckli May 07 '13 at 07:58
0

Seems like this question has already been answered. And yes, the isNumeric trick essentially would only allow sanitized inputs, thus shielding your application from SQL injection.

Community
  • 1
  • 1
Gaia
  • 2,872
  • 1
  • 41
  • 59