0

I've read plenty that you need to check and sanitize form data before inserting into database or using in an sql query and I agree with that. But I couldn't find an answer to this, if I only have a number field in my form: 

<input type="number" class="form-control" name="max-persons" required>

Do I need to sanitize this? The user can only enters numbers as far as I know.

$maxPersons = $_POST['max-persons'];
// or
$maxPersons = mysqli_real_escape_string($connect, $_POST['max-persons']);

I'm here concerned about SQL injections here primarily.

Edit: I do not believe this is an exact duplicate of linked question. I'm not asking how to prevent SQL injection. I'm asking SHOULD I take steps to prevent SQL injection in case of number fields.

Whip
  • 1,891
  • 22
  • 43
  • 3
    Simple rule: use parameters. Period. Is that hard to follow? – Gordon Linoff Nov 21 '17 at 11:50
  • 1
    `type="number"` does not secure you in anyway. A user can bypass that form entirely. `mysqli_real_escape_string` should make it secure but parameterizing is the best practice. – chris85 Nov 21 '17 at 11:52
  • They can change the input type to text and they can input anything by then or use JS to populate the value for your input. Though this would be negligible if column that you're using the database only accepts integers – hungrykoala Nov 21 '17 at 11:52
  • 1
    Think of it this way: **never trust user input**. Some would say to never trust _any_ input. – FirstOne Nov 21 '17 at 11:52
  • 1
    [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – FirstOne Nov 21 '17 at 11:55
  • Remember that HTML fields can easily be modified in the front end, there's no security to them whatsoever – Matt Fletcher Nov 21 '17 at 11:56
  • 1
    @hungrykoala I don't think that the column type interferes so much on SQL Injection... Think of an injection that drops the table, how is that influenced by a given column data type? – FirstOne Nov 21 '17 at 11:59
  • @FirstOne oh, So if it is an insert/update the DB won't return an error since the input is not equal to the datatype for the column? – hungrykoala Nov 21 '17 at 12:00
  • @hungrykoala it really depends since this is all hypothetical. Think of this query: `INSERT INTO foo VALUES ('$a', '$b')`, where both columns are integers. If I set `$a` as `1','2'); drop table foo; --`, the query will become `INSERT INTO foo VALUES ('1','2'); drop table foo; --`, - not really a problem type-wise. Of course, I'm not going into one query at a time and that stuff – FirstOne Nov 21 '17 at 12:04

1 Answers1

0

Having a type=number field doesn't change whether or not you need to sanitize your form before inserting it; You definitely need to.

Imagine if somebody just inspect-elements and changed it to text. To the server, it's a text-box and will still accept it as post data. If you don't handle it properly server-side it could lead to SQL injection. As Gordon said in the comments. Use parameters.

type=number is just a client-side look. It's not a limitation if somebody wants to try and break into your database.