[SOLVED] Could my database be injected this way?

[Dogboys]

Assuming my code was in a format where someone enters data in a box but that content gets checked but not filtered like what mysql_real_escape_string() would do. Like this code for example: (I don't know how to get it into code format on the forums, sorry! Also I'm not sure if this should belong in MySQL or PHP forums so sorry about that also)

 

 

if (!isset($_POST['submit'])) {

?>

<body>

<form method="post" action="<? echo "$PHP_SELF";

?>">

Number box <input type="text" size="5" maxlength="5" name="number"><br />

<input type="submit" value="submit" name="submit">

<table>

</form>

 

<?

 

}

 

    if (isset($_POST["submit"])) {

$number = $_POST["number"];

 

 

$number = is_numeric($number);

 

if ( $number != 1 )

{

echo "Error, not a number";

die();

}

 

$updatenumber= mysql_query("UPDATE table SET number='$number' WHERE id='$id'") ;

 

 

 

 

}

 

 

 

Would it be able to get a mysql injection through that? (Also assume that I do have a connection to the database). Also if I did miss any syntax or anything just ignore that the whole point is just to know if it could get injected.

 

[Andy17]

I would do something like this to prevent it:

 

<form method="post" action="<?php echo "$PHP_SELF"; ?>">
Number box <input type="text" size="5" maxlength="5" name="number"><br />
<input type="submit" value="submit" name="submit">
</form>

<?php

if (isset($_POST["submit"]))

{

$number = mysql_real_escape_string($_POST['number']);


if (is_numeric($number) && $number != 1) // Not sure why you won't allow the number to be 1 but I guess you have your reasons 

{

$updatenumber= mysql_query("UPDATE table SET number='$number' WHERE id='$id'") ;

}

else

{

echo "Invalid number!";

}

?>

 

Use [ code ] and [ /code ] to post code but without the spaces.

[Dogboys]

Whoops I did make a mistake when I used number

It should be

$number = $_POST["number"];


$numbercheck = is_numeric($number);

if ( $numbercheck != 1 )
{
echo "Error, not a number";
die();
}

$updatenumber= mysql_query("UPDATE table SET number='$number' WHERE id='$id'") ;

 

But under that way, would that be a good enough filter to prevent it or is it a MUST to have mysql real escape()?

 

The $numbercheck goes to 1 only if numbers exist and only numbers nothing else so would that prevent bad content as well or does it still not do the same as escape string?

[kenrbnsn]

You're using too many temporary variables, when this

<?php
if ( !is_numeric($_POST['number'] )
    die("Error, not a number");
$q = "UPDATE table SET number='" . mysql_real_escape_string($_POST['number'] . "' WHERE id='$id'";
$updatenumber= mysql_query($q) or die("Problem with the query: $q<br>" . mysql_error()) ;
?>

 

is all you really need.

 

Ken

 

 

 

[Dogboys]

Okay thanks ken and Andy. I think I got it down.

[dropfaith]

if the the value is always a number woouldnt this be the safest way??

 

$number = (int) mysql_real_escape_string($_POST['number']);

[Andy17]

<?php
if ( !is_numeric($_POST['number'] )
    die("Error, not a number");
$q = "UPDATE table SET number='" . mysql_real_escape_string($_POST['number']) . "' WHERE id='$id'";
$updatenumber= mysql_query($q) or die("Problem with the query: $q<br>" . mysql_error()) ;
?>

 

Just fixed a simple mistake.

[discomatt]

Type casting or ctype_digit() would be better than is_numeric()