How to protect form mysql injection through address bar

Question

This is not working,

<?php 
if(!isset($_GET['id'])){
    header('location: index.php');
}
$id = $_GET['id'];
if(!is_int($id)){
    header('location: index.php');
    }


 ?>

It's always redirecting me although the url is http://localhost/JMToday/classes/images.php?id=53

Just wanted to point out it doesn't matter where your data comes from - an address bar, a form, a AJAX call, whatever. All data sent to your server can be hijacked and abused, so you must check ALL incoming data. — James, Jan 08 '11 at 09:37
SAM! You have completely edited this question so half the answers don't make sense any more. Really bad form! Make a new question! — James, Jan 08 '11 at 12:03
@James who put you on charge? Editing questions is perfectly legitimate here — Your Common Sense, Jan 08 '11 at 12:29

score 1 · Accepted Answer · answered Jan 08 '11 at 11:34

Another point would be to use PDO with Prepared Statements. You get a certain level of DB abstraction with PDO and Prepared Statements drop the necessety of using mysql_real_escape_string or similar.

Another solution is an ORM, that might be a big overkill and they would most likely use PDO under the hood but if the requirements match it, why not...

score 0 · Answer 2 · answered Jan 08 '11 at 09:03

0

check that $id is an integer

if (!is_int($_GET['id']){
echo 'bad id';
}

answered Jan 08 '11 at 09:03

or cast it to an int $id = (int) $_GET['id'], you'll have 0 if it was not an int. – regilero Jan 08 '11 at 09:11
what if the url was something like photos.php?url=directory/images.php – Sam Gabriel Jan 08 '11 at 11:12
Why not to try it before post? – Your Common Sense Jan 08 '11 at 11:47
@sam then i would use a different check, there will be some know boundaries if not type check that could be used. – Jan 10 '11 at 04:46

score 0 · Answer 3 · edited May 23 '17 at 12:18

0

A nonsense question and a bunch of nonsense answers again.

Your question has nothing to do with injections. It's parameter validation.
If you think that parameter is invalid, not a redirect but 404 status should be returned.
Outside variables are always of string type. So, you have to either do some regexp or is_numeric.
Still it has nothing to do with injections. Your database code should be able do deal with any types of data. There are very simple mechanisms to handle it. You can refer to this answer for the details

edited May 23 '17 at 12:18

Community

1
1

answered Jan 08 '11 at 11:56

Your Common Sense

156,878
40
214
345

1

Because Sam completely edited his question. The answers did make sense on the 1st question he was asking. – James Jan 08 '11 at 12:04
No, Seth's answer was wrong. But Sam's 1st question was basically user passes in a GET parameter, how can I make sure it's a int. Classic SQL Injection question. – James Jan 08 '11 at 12:12
@James yup. and no one to answer that "classic" question. Because noone understands what is it and how to protect. – Your Common Sense Jan 08 '11 at 12:14

score 0 · Answer 4 · edited Jan 08 '11 at 12:27

0

You can use two things either use sprinf for setting queries Like This

$professionalQry = sprintf("SELECT * FROM `professional` WHERE `user_id`=%d",$userId);

OR

Use mysql_real_escape_string

Like this

$professionalQry = sprintf("SELECT * FROM `professional` WHERE `user_id`='%s'",
                           mysql_real_escape_string($userId));

edited Jan 08 '11 at 12:27

Your Common Sense

156,878
40
214
345

answered Jan 08 '11 at 12:18

Harish

2,311
4
23
28

How to protect form mysql injection through address bar

4 Answers4