Is this code open to SQL Injection?

Question

Can someone tell me if this code is open to SQL Injection and why:

$x = $_REQUEST['id'];
$x = mysql_real_escape_string($x);
$del = "DELETE FROM Y WHERE id = ".$x;
mysql_query($del);

Basic rule: if you're **concatenating together** your SQL statement - you're **always** in danger of SQL injection. And **YES** this code of yours is in danger of SQL injection — marc_s, Jun 08 '13 at 08:54
@RickHoving You are either trolling or being really unobservant. — vinczemarton, Jun 08 '13 at 09:41
to solve the confusion about `mysql_real_escape_string` http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string so yes, it is still unsafe — scones, Jun 08 '13 at 09:43
possible duplicate of [How to prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) — Álvaro González, Jun 10 '13 at 15:36

score 2 · Answer 1 · answered Jun 08 '13 at 09:38

2

It is; consider x being id, which leads to a query of

DELETE FROM Y WHERE id = id

deleting all the rows from the table.

answered Jun 08 '13 at 09:38

Koterpillar

score 0 · Answer 2 · answered Jun 08 '13 at 08:53

0

It is because you dont quote the x.

You can also use something simple like:

sprintf("DELETE FROM Y WHERE id = %u", $x);

answered Jun 08 '13 at 08:53

Zaffy

score -6 · Answer 3 · answered Jun 08 '13 at 08:51

-6

It shouldn't be as you use mysql_real_escape_string() to escape it

answered Jun 08 '13 at 08:51

Vladimir Georgiev

http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string – scones Jun 08 '13 at 09:44
2

This answer is so bad I want to downvote it more than once. – vinczemarton Jun 08 '13 at 09:47

3 Answers3