Does user input enter an integer sufficient to sanitize it?

Question

Does user input enter an integer sufficient to sanitize it?

All sent messages are initially processed as a string, so forcing known numeric data as an integer or float makes sanitation quick and painless.

It was a sanitation method that I myself came up with for a quick and dirty query (finding a name in a table from a numerical identifier); the only variable that connects to the request is the identifier, and I know that the identifier must be greater than zero and less than 255, so my disinfection looks like this (with a small number of validations):

$id = (int)$_REQUEST['id'];
if ($id < 1 || $id > 255) errmsg("Invalid ID specified!");
$name = $DB->query("SELECT name FROM items WHERE id=${id}")->fetch_all()[0][0];

Is this enough to prevent SQL injection attacks or any other malicious attacks based on a user-specified value, $idor can it be used?

NOTE. The identifier / name is not "sensitive", so if any input inadvertently leads to "1" or another valid identifier value, I don't care. I just want to avoid the tricks in the rows of Small Bobby Tables .

+4

casting php sql injection mysqli

Doktor j Feb 22 '18 at 17:31

source share

8 answers

Machavity · Answer 1 · 2018-02-22T17:48:54+0000

The answer is TL, DR - yes. By clicking on (int)you can’t get anything but an integer.

The trick can take place where it can lead to unwanted behavior. Take your code

$id = (int)$_REQUEST['id'];

Now if we call it

page.php?id=lolsqlinjection

$id 0 ( 0). . , 0 - . , , , ( MySQLi, PDO)

$prep = $DB->prepare("SELECT name FROM items WHERE id=?");
$prep->bind_param('i', $_REQUEST['id']);
$prep->execute();

, , , . , SQL- MySQL "lolsqlinjection". . , , 0 .

azjezz · Answer 2 · 2018-02-22T17:44:23+0000

, int, , somephrase , int 0, .

( - ), , , , , , . , int .

, :

<?php


$id = (int) $_GET['id'];

if($id === 0 || !in_array($id,range(1,255)) 
{
   if($id === 0 && (string) $_GET['id'] !== '0') {
      // sql injection attempt ! ( or not ? )
   } else {
      // maybe an error  
   }
} else {
  $result = $DB->query(...);
  echo $result;
}

apokryfos · Answer 3 · 2018-02-22T17:44:34+0000

, , : ", " . PHP , filter_input():

filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT, [ 
     "options" => [
        "min_range" => 1,
        "max_range" => 255
    ]    
]);

if ( isset), , , , .

SQL-, .

d3L · Answer 4 · 2018-02-22T17:44:57+0000

, , SQL-.

, .

user2314737 · Answer 5 · 2018-02-23T09:52:44+0000

, , , PHP ( 0, , , (int) ((0.1+0.7) * 10); 7).

Hitchhiker SQL

, ,

Bill Karwin · Answer 6 · 2018-02-25T21:54:09+0000

, , , , .

PDO:

$stmt = $DB->prepare("SELECT name FROM items WHERE id=?");
$stmt->execute([$_REQUEST['id']);
$name = $stmt->fetchColumn();

, ? . .

, int SQL. , . , , , . , (int) SQL.

.

Darko Miletic · Answer 7 · 2018-02-22T17:51:20+0000

, PHP . http://php.net/manual/en/filter.filters.php.

:

$options = [
    'options' => [
        'default'   => null,
        'min_range' => 1,
        'max_range' => 255,
    ]
];

if (isset($_REQUEST['id'])) {
    $id = filter_var($_REQUEST['id'], FILTER_VALIDATE_INT, $options);
    if ($id) {
        // TODO:
    }
}

SQL , .

Your Common Sense · Answer 8 · 2018-02-22T19:05:30+0000

- .

, .

, , . ,

$name = $DB->run("SELECT name FROM items WHERE id=?", [$_REQUEST['id']])->fetchColumn();

, , , , .

Does user input enter an integer sufficient to sanitize it?

More articles: