Posted by frizzle on 10/06/28 11:49

Chung Leong wrote:
> howachen@gmail.com wrote:
> > Hi,
> >
> > In many web articles, people focusing on SQL injection in the form of :
> >
> >
> > e.g.
> > /**********************************************************/
> > $name = "tom' UNION blah blah blah"
> > $query = "SELECT * FROM users WHERE name = '".$name."';
> > /**********************************************************/
> >
> > However, another form of SQL injection might in the form of...
> >
> > /**********************************************************/
> > $name = "1 UNION blah blah blah"
> > $query = "SELECT * FROM users WHERE id = ".$name;
> > /**********************************************************/
> >
> > for case 1, we can easily solved by escaping the special characters
> > like " ' ", but how to solve for case 2?
> >
> > Thanks.
>
> Yeah, that's something that's often overlooked. What you want to do is
> cast the variable to integer. PHP will convert a string that's not a
> number into zero, an attempt at SQL injection would yield an no-op.
>
> Also keep an eye out for IN constructs:
>
> $sql = "SELECT * FROM users WHERE id IN (" . implode(',',
> $_POST['checkboxes']) .")";
>
> An easy way to prevent injection in this case is to use a intval() on
> every element with the help of array_map().

but what i forgot is to enclose the variable part of the query (WHERE
clause) within those single quotation marks. That should have it treat
is as a string ...

Frizzle.

[Back to original message]