Is (int) and is_int () safe for protection against SQL injection?

Question

Is (int) and is_int () safe for protection against SQL injection?

So, I was wondering if this is enough to be sure that the user will not make any SQL injections, and the number will be always and only integer? The $ id function in the getArticle function is bound to the SQL query.

<?php $id = (isset($_GET['id']) && is_int((int)$_GET['id'])) ? (int)$_GET['id'] : false ?> <?php $news = $class->getArticle($id) ?>

As far as I tested, it worked fine, but since I'm not quite sure, I rather ask you, man! Well, people say prepared statements will do the trick. Would they really be? For example, can I be absolutely sure that if the binding parameter is an integer, will it be an integer larger?

Thanks in advance!

+6

php sql-injection mysqli

Rihards Jun 30 '10 at 14:47

source share

4 answers

Use prepared statements. There is no reason to NOT use them. Then you do not need to ask: "Is it good enough?"

+5

Andy lester Jun 30 '10 at 15:10

source share

I can not imagine how this can be used for SQL-Injection. Therefore, I would say that it is quite safe.

0

jigfox Jun 30 '10 at 14:51

source share

just use:

 $id=(int)@$_GET['id'];

if $ _GET ['id'] is not set, $ id will be 0.
if you want to check if the identifier is set correctly:

 if ($id=(int)@$_GET['id']){ // } else { //invalid id }

0

codez Jun 30 '10 at 15:06

source share

Sarfraz · Accepted Answer · 2010-06-30T14:51:47+0000

You can simply type them with the appropriate type:

 $number = intval($_GET['id']); $string = mysql_real_escape_string(strval($_GET['str']));

To make sure you get what you expect.

The best solution is to use prepared statements to avoid sql injection.

Is (int) and is_int () safe for protection against SQL injection?

More articles: