Query example - safe or not for sql injection?

Question

I have a short question - is code below vulnerable for sql injection in any version of PHP?

$A = $_GET['A'];
$B = 10;
$q = "SELECT 1 FROM user WHERE name = 'admin' LIMIT ".($A*$B).",$B";
$res = mysql_query($q);
...

I saw that kind of code on my client website and got me to think... but couldn't find any attack vector :)

It is safe, only `$A` is from the user, and it is multiplied by `$B` in the request... — Nathan Xabedi, Apr 10 '20 at 18:48
Not in this 1 example. Since you are using `mysql_*` it would be surprising if you didn't have an injection somewhere. — user3783243, Apr 10 '20 at 18:50
You shouldn't use mysql, it's recommended to use mysqli or PDO. — Ebrahim, Apr 10 '20 at 20:33

Kaleb W · Accepted Answer · 2020-04-10T18:53:39.650

-2

This is SQL safe, as the variable $A is being multiplied by an integer $B. However, all GET variables store string values, so it would be smart to typecast $A to an integer, like so:

$A = intval($_GET['A']);

OR

$A = (int) $_GET['A'];

You should also switch to the method mysqli_query(), as mysql_query() is deprecated.

edited Apr 10 '20 at 18:53

answered Apr 10 '20 at 18:51

Kaleb W

122
7

1

... or `$A = (int) $_GET['A'];` – user1597430 Apr 10 '20 at 18:51
1

This isn't his own code, he said he saw it in a client's site. – Barmar Apr 10 '20 at 18:52
@Barmar Well, same goes for his client :D – Kaleb W Apr 10 '20 at 18:55
1

Guys, I know how it should be done, just wondering if that particular example is secure :) Thanks for help! – Elen Apr 10 '20 at 19:10

Query example - safe or not for sql injection?

1 Answers1