using category name vs category id for the value to pass to $_GET

Question

I'm currently developing a website that will be deployed once it is finished so i'm concerned about the security of my website.

I learned that $_GET can be used by attacker to do UNION and LOAD_FILE attack, as normally people will use .php?catId=1 to fetch data and show it on the page.

However i was wondering if by using the name instead like .php?catName=product_1 will help to protect from the attack as the query to fetch the data will become like this :

$sql = "SELECT * FROM category_table WHERE category_name = '" . $_GET['catName'] . "'";

As now the value is a string, a single quote (') is needed for the query to work where before it is not needed as id is integer.

This single quote is able to block the UNION query but im not sure if this is enough

Use parameters! That is the right way to address SQL injection. — Gordon Linoff, Jul 28 '18 at 01:33
Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Nima, Jul 28 '18 at 01:37
@GordonLinoff by using parameters does it means to us PDO prepared statement ? I tried that and it does prevent it, thank you :) — Julianto, Jul 28 '18 at 02:09

score 1 · Accepted Answer · answered Jul 28 '18 at 02:14

Use Mysqli Prepare:

$category_name = $_GET['catName'];

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT category_name FROM category_table WHERE category_name=?")) {

/* bind parameters for markers */
$stmt->bind_param("s", $category_name );

/* execute query */
$stmt->execute();

/* bind result variables */
$stmt->bind_result($category_name);

/* fetch value */
$stmt->fetch();

echo($category_name);

/* close statement */
$stmt->close();
}

More information: http://php.net/manual/en/mysqli.prepare.php

Bye ;)

using category name vs category id for the value to pass to $_GET

1 Answers1