-3

I have very short question, but no one asked it yet. Is it posible to do SQL injection in such piece of code?:

$number = intval($_GET["number"];
mysqli_query($link, "Select Username FROM Users WHERE USER_ID = $number");

Thank you.

user2621907
  • 101
  • 6
  • possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Nikolay Kostov Mar 06 '15 at 07:43
  • you should start using mysqli or PDO instead, as of PHP 5.3 the mysql extension is deprecated. – Lexib0y Mar 06 '15 at 07:47
  • Mysql is just for example, I'm already using mysqli! – user2621907 Mar 06 '15 at 07:55
  • Sorry :) You have to take into account that a lot of people do not know, and it seems hard to root out the usage as it is. That is why a lot of users point this out on every occasion, to help prevent new php users reading outdated code when they first start out. – Lexib0y Mar 06 '15 at 08:01
  • I edited my post to match your criteria :) – user2621907 Mar 08 '15 at 09:52

2 Answers2

3

Thanks to using intval()no, so you are fine.

But: mysql_query() is deprecated (http://php.net/manual/en/function.mysql-query.php). Consider using MySQLi or PDO_MySQL.

vim
  • 1,540
  • 12
  • 16
  • Yes, I now that. Already using mysqli, just for example... Thank you. I was thinking abou older PHP, where $_GET["name"] was the same thing as $name. So, when the intval failed, it could be not assigned and there fore that would be possible. – user2621907 Mar 06 '15 at 07:48
0

No because intval will always just be a number. The same goes for (int).

Lexib0y
  • 519
  • 10
  • 27