Is this evidence of a request injection?

Question

Is this evidence of a request injection?

I use PDO to talk to my database and I wonder if this type should be used

$dbh->query("SELECT * FROM recipes WHERE id=".(int)$id);

enough to prevent sql injection? In this case, $ id is always an integer.

I also wonder what would be a good way to prevent injection in this expression if the variable was a string.

+1

sql php sql-injection pdo

Michael Aug 12 '10 at 17:35

source share

6 answers

PDO, :

:

$dbh->prepare("SELECT * FROM recipes WHERE id = ?");
$dbh->bindParam(1, (int) $id);
// more code.....

+3

Sarfraz 12 . '10 17:39

:

$dbh->query("SELECT * FROM `recipes` WHERE `id=`'".(int)$id."'");

0

pltvs 12 . '10 17:39

$id , . ( ) ; PDO::quote.

0

casablanca 12 . '10 17:40

, , SQL Injection, .

Automatic SQL Injection Tool, .

0

Yale 19 . '10 0:47

, PHP (int) NULL 0.

Therefore, if you had a significant relationship with identifier 0 in the application, this may inadvertently cause this value.

0

Joseph Lust Mar 21 '11 at 13:53

source share

scy · Accepted Answer · 2010-08-12T17:38:39+0000

Yes. Casting to int prevents all the unpleasant features of SQL injection.

If the variable was a string, you should use prepared statements to pass it.

$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql);
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();

Is this evidence of a request injection?

More articles: