0

Is this enough to be safe from SQL injections:

$value1 = htmlspecialchars($_GET['input1'], ENT_QUOTES, 'UTF-8');
$value2 = intval($_GET['input2']);
SELECT xy FROM a WHERE a = '$value1' AND b = $value2;

Eg.: Every string input is in '...' and every non-string input is converted to number via intval / doubleval.

Query is run over mysqli_

Martin Mickey
  • 333
  • 4
  • 13
  • 5
    `htmlspecialchars` is **not** for SQL injection prevention; it's purely for outputting certain characters to HTML - that's it. So, no. – CD001 Dec 07 '18 at 10:52
  • 1
    [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Dec 07 '18 at 10:53
  • 1
    More effort for less safety doesn't usually make sense. And once you read up on parameter binding with mysqli, you'll see why everyone uses PDO instead. – mario Dec 07 '18 at 10:54
  • Was going to post, but the bottom line is that `htmlspecialchars` does nothing to sterilize rogue incoming strings. A malicious user could fairly easily inject your script to do bad things. Such sterilization functions _do_ exist (MySQL has them, for instance), but you'd best leave this up to the database to handle. – Tim Biegeleisen Dec 07 '18 at 10:55
  • It's amazing how developers come up with so many complicated and ineffective solutions to SQL injection, apparently to avoid using the method that is both secure and simple: query parameters. – Bill Karwin Dec 07 '18 at 17:49

0 Answers0