Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    May 2008
    Location
    Oxford, UK
    Posts
    422
    Thanks
    14
    Thanked 27 Times in 27 Posts

    Securing a web application

    Yet another thread about security/sql injection I'm afraid.

    I'm just wanting to get some other views on if the code I have used to protect from sql injection is secure enough.

    Basically an eventID is passed into the querystring to get the row from the db...

    Code:
    if(isset($_GET["eventid"])){
    	$evt = mysql_real_escape_string($_GET["eventid"]);
    	if(!is_numeric($evt)){
    		$isevt  = false;
    		$error = "Oops, you seem to have specified an invalid event ID!";
    	}else{
    		$isevt = true;
    	}
    }else{
    	$isevt = false;
    	$error = "No Event Specified";
    }
    then it goes on to...

    Code:
    if($isevt){
    //Access the database and get the row
    }else{
    echo $error;
    }

  • #2
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,863
    Thanks
    160
    Thanked 2,224 Times in 2,211 Posts
    $evt = mysql_real_escape_string($_GET["eventid"]);
    You don't need to apply mysql_real_escape_string() on any integer/numeric data. Functions like ctype_digit(), is_numeric() is enough for that. (sql injection is possible only via string inputs and not by numeric inputs)
    Last edited by abduraooft; 10-13-2009 at 12:51 PM.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #3
    Regular Coder
    Join Date
    May 2008
    Location
    Oxford, UK
    Posts
    422
    Thanks
    14
    Thanked 27 Times in 27 Posts
    ok so, it's perfectly secure with is_numeric()?


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •