HDFilmMaker2112 Posted June 5, 2011 Share Posted June 5, 2011 I'm trying to make it so somebody can't do an SQL injection on my script, by using is_int and setting the $_GET['id'] to an integer with (int). Now even when the URL contains product=4 it pulls from the database as product=1. If I use is_numeric all that has to be done is include a number in the SQL injection and then is_numeric will return true. As per the PHP manual: '42' is numeric '1337' is numeric '1e4' is numeric 'not numeric' is NOT numeric 'Array' is NOT numeric '9.1' is numeric elseif(isset($_GET['product'])){ $product_id=is_int((int)$_GET['product']); $sql500="SELECT * FROM $tbl_name3 WHERE product_id='$product_id' AND review_show='y' ORDER BY review_date"; $result500=mysql_query($sql500); $num_rows500=mysql_num_rows($result500); if($num_rows500==0){ $average_rating=0; } else{ while($row500=mysql_fetch_array($result500)){ extract($row500); if($review_show=="y"){ $total = $total + $review_product_rating; $review.=' <div class="review_container"> <div class="review_title">'.$review_title.'</div> <div><img src="'.$review_product_rating.'.png" alt="'.$review_product_rating.' Stars" /></div> <div><span class="bold">By '.$review_name.' from '.$review_location.' on '.$review_date.'</span></div> <div><span class="bold">Describe Yourself:</span> '.$review_describe.'</div> <div><span class="bold">Best Use:</span> '.$review_best_use.'</div> <div><span class="bold">Pros:</span> '.$review_pros.'</div> <div><span class="bold">Cons:</span> '.$review_cons.'</div> <div><span class="bold">Comments</span></div><div>'.$review_text.'</div> </div> <hr /> '; $review_product_rating_total=$total; $a=$review_product_rating_total/$num_rows500; $i=round($a, 1); $b=$i; $i=explode(".", $i); $decimal=$i[1]; if($decimal < 5){ $j=floor($b); $i= $decimal > 3 ? $j + .5 : $j; $average_rating=$i; } else{ $j=ceil($b); $i= $decimal < 8 ? $j - .5 : $j; $average_rating=$i; } } } } $sql50="SELECT * FROM $tbl_name WHERE product_id='$product_id'"; $result50=mysql_query($sql50); while($row50=mysql_fetch_array($result50)){ Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted June 5, 2011 Share Posted June 5, 2011 In one motion you're both casting the value as an integer, and checking if it's an integer. The "1" that is being returned is a boolean TRUE because the that's what is_int() returns. Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 5, 2011 Author Share Posted June 5, 2011 Would (int) suffice, without the is_int(), to prevent injection? Any text at that point shouldn't work right? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted June 5, 2011 Share Posted June 5, 2011 If you're expecting a value that consists of all decimal digits and no spaces, validate it with ctype_digit, and cast it as an integer. Some people say casting it isn't necessary after validating it, but it certainly doesn't hurt anything either. elseif( isset($_GET['product']) && ctype_digit($_GET['product']) ) { $product_id = (int) $_GET['product']; Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 5, 2011 Author Share Posted June 5, 2011 Works perfectly, thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.