In php, can SQL injection possibly go through the is_numeric function?

Question

In php, can SQL injection possibly go through the is_numeric function?

Can I safely assume (if I'm just GETting id number) that is_numeric is good enough to stop SQL injection attacks? or are there sql injection methods that can go through is_numeric?

+5

php mysql

Marshall house Jan 2 '12 at 21:08

source share

3 answers

, . , , , is_numeric('0xaf5') == true, , .

+4

KingCrunch 02 . '12 21:10

intval floatval.

+3

craig1231 02 . '12 21:09

rdlowrey · Accepted Answer · 2012-01-02T21:10:22+0000

You will be best off doing:

$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;

This way you can avoid function overhead is_numeric. Any of these methods is sufficient to avoid injections, though (if you are doing something for the data, if it is_numericreturns FALSE). The ternary operator also ensures that you do not get E_NOTICE if the $ _GET variable in question does not exist.

In php, can SQL injection possibly go through the is_numeric function?

More articles: