is_numeric is safe to select?

Asked

Viewed 45 times

0

I am developing an application with PDO, and I normally use the bindValue() to execute the SELECT's, but I am developing an application that receives a variable that contains numbers and comma, which will later be exploded.

What I wanted to know is: That way it’s safe to avoid attacks, otherwise, how would these attacks be carried out?

$categories = '10,12,22,123,120'; # ESSES SÃO OS ID'S DAS CATEGORIAS DESEJADAS
$category = explode(',', $categories);
for ($i = 0; $i < count($category); $i++) {
    if (is_numeric($category[$i]) {
        $this->condition .= "categoryName = '{$category[$i]}'";
        if ($i < count($category) - 1) {
            $this->condition .= ' AND ';
        }
    }
}
php sql security-guard
  • 1

    What doesn’t make sense is to use a single column to store multiple values. The is_numeric allows giant numbers, larger than the maximum uint64, which can be a problem. Also, it allows float.

  • In fact it is an auxiliary table to make a SELECT of many for many, the is_numeric serves to authenticate.

1 answer

0


As it is only number, I believe it is not possible to make attack with SQL Injection, but to remove any doubt you can make this process using the bindValue(). Just use named parameters:

$categories = '10,12,22,123,120';
$category = explode(',', $categories);
for ($i = 0; $i < count($category); $i++) {
    if (is_numeric($category[$i]) {
        $this->condition .= "categoryName = :category{$i}";
        if ($i < count($category) - 1) {
            $this->condition .= ' AND ';
        }
    }
}
$query = $sua_conexao_pdo->prepare($variavel_com_select." ".$this->condition);
for ($i = 0; $i < count($category); $i++) {
    if (is_numeric($category[$i]) {
        $query->bindValue(":category{$i}", $category[$i], PDO::PARAM_INT);
    }
}
$query->execute();

Browser other questions tagged php sql security-guard

You are not signed in. Login or sign up in order to post.