MYSQL interval query SQL injection

Question

I have this simple MYSQL query:

SELECT * FROM table WHERE date > now() - INTERVAL $hours HOUR

$hours is a PHP GET variable. Do I have to do any check on this variable before using it in the query to avoid SQL injection or is it secure enough? I use PDO statements

If you substitute directly into the SQL string, then you are at risk for injection. — Gordon Linoff, Sep 28 '14 at 18:07
@GordonLinoff yes.i substitute directly. Can I use bind with this variable? Like `INTERVAL :hours` — Michael Samuel, Sep 28 '14 at 18:08
@MichaelSamuel . . . No. You can bind the number but you will need to use a `case` statement for the interval type. Or, just check in your code before hand that the interval type is valid. — Gordon Linoff, Sep 28 '14 at 18:10
oh sorry...forgot to include the hour in the query. The type is fixed :) — Michael Samuel, Sep 28 '14 at 18:38

score 1 · Accepted Answer · answered Sep 28 '14 at 18:33

Something like this would be good:

$sth = $Db->dbh->prepare("SELECT * FROM 'table' WHERE date > now() - INTERVAL :hours"); $sth->execute(array(':hours'=>$hours,':secondThing'=>$variable));

That's a way to esacpe your strings. This can be different from your code but the array in the execute and query will be the same (if you use PDO.)

score 0 · Answer 2 · edited May 23 '17 at 11:49

0

Use prepared statements

See How can I prevent SQL-injection in PHP?

Maybe you are getting variables directly from $_POST or $_GET

$unsafe_variable = $_POST['user_input'];

edited May 23 '17 at 11:49

Community

1
1

answered Sep 28 '14 at 18:21

Ivan Cachicatari

4,212
2
21
41

i already said in the question that i use prepared statements (PDO) :) – Michael Samuel Sep 28 '14 at 18:39

MYSQL interval query SQL injection

2 Answers2