-1

I have this code:

“SELECT * FROM colomn_name WHERE id = ‘$id’”

Can I know if it is SECURE way to get the id from database? P.S: I make FILTER_VAR that confirmed the id is numeric.

Itamar Kerbel
  • 2,508
  • 1
  • 22
  • 29
Hassan Al-Hassani
  • 1
  • 2
  • You could always escape the `$id` variable. You can accomplish that using the `addslashes()` function. Use this for good pratice, as you will most defenetly have to handle strings in the future. http://php.net/manual/en/function.addslashes.php – Chris Nov 17 '18 at 23:06
  • *Do not* rely on `addslashes()` to prevent SQL injection. Use prepared statements with bound parameters, always, for every query. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Nov 18 '18 at 01:36
  • Please also show the code where you use filter_var and the code you use to access the database? Are you using mysqli or PDO? – Lexib0y Nov 18 '18 at 02:25

2 Answers2

1

If you are worried about sql injection, then yes it is OK. But you need to be absolutely sure that id has only digits in it. Have a look here for many other tips.

Itamar Kerbel
  • 2,508
  • 1
  • 22
  • 29
0

A more secure way of doing this would be using prepared statements. The reason for this is that while input validation depends on the function used to make sure the input is correct, prepared statements would ensure that the statement and the values cannot be mixed leading to an sql injection. In the past there have been multiple problems with input validation libraries so it's not a completely secure solution. You can take a look here for more information.

Near
  • 1
  • 1