Allow number-only queries in mysql

Asked

Viewed 315 times

1

I would like to know if you can prevent the query of words, characters and other things that can make an Injection sql on a site. I am developing a system for the history of a site, follow the script:

if possible also like to know how to give an Else no while, pq ta returning error.

$id = $_COOKIE["id"];
$novoId = "$cont[id]";

if (!preg_match("/\b{$novoId}\b/", $id)) {
    setcookie("id", $id .= "{$novoId},");
}
$historico = rtrim($id, ',') . '';

$beta = mysql_query("SELECT aid FROM `lista` WHERE aid IN($historico)");
while (list($aid) = mysql_fetch_array($beta)) {
$devolver .= ' '.$aid.'  ';
}
php mysql

1 answer

0


It is possible yes. Just check if it is an integer or value number and if it is not, display an error message.

Using preg_match:

<?php

/* Verifica se a variável contém somente números */
if (preg_match("/^\d+$/", $id)) {
    /* Faz a busca */
}

Using is_numeric:

<?php

/* Verifica se a variável contém um valor número, independente da variável ser do tipo "int" ou "string" */
if (is_numeric($id)) {
    /* Faz a busca */
}

Using is_int or is_integer:

<?php

/* Verifica se a variável é do tipo "inteiro" */
if (is_int($id)) {
    /* Faz a busca */
}

You can also convert to whole.

<?php

$id = "4165";

var_dump( (int)"4165" );       // 4165
var_dump( (int)4165.7 );       // 4165
var_dump( (int)false );        // 0
var_dump( (int)true );         // 1
var_dump( (int)"valdeir" );    // 0

echo PHP_EOL;
echo "----------";
echo PHP_EOL;

var_dump( intval("4165") );     // 4165
var_dump( intval(4165.7) );     // 4165
var_dump( intval(false) );      // 0
var_dump( intval(true) );       // 1
var_dump( intval("valdeir") );  // 0

If you have using multiples ID’s, you can use the function array_map. Ex:

<?php

$ids = ["4165", 4165.7, false, true, "valdeir"];

$newIds = array_map(function($value) {
    return (int)$value;
}, $ids);


var_dump($newIds);

You can also filter only numbers values.

<?php

$ids = "4165,4165.7,false,true,valdeir,12";
$ids = explode(",", $ids);

$newIds = array_filter($ids, function($value) {
    /* Retorna apenas os números inteiros */
    return is_numeric($value);
});


var_dump( implode(",", $newIds) );

// Output: 4165,4165,12

  • Each ID and separated by comma will still work?

  • @Gabriel using the function array_map works yes. I added a new function to filter only number values. Just use explode to turn into array and then the implode to join only the new values.

  • use the $ids = explode(",", $ids); and ( implode(",", $newIds)) will remove the last comma, "if any", because the id captures with"," in front, sometimes it gets something like ids="1,2,3,4,"

  • @Gabriel if there is a comma at the end of the string, the explode will return an empty value and the array_filter will delete that value. Thus "1,2,3,4," will become "1,2,3,4"

  • Demonstration: https://ideone.com/ELeIc

Browser other questions tagged php mysql

You are not signed in. Login or sign up in order to post.