Int casting and Sql injection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
nemsis
Forum Newbie
Posts: 1
Joined: Tue Dec 01, 2009 6:12 am

Int casting and Sql injection

Post by nemsis »

Hello guys,

I didn't use to code websites but i'm working on a serious project right now and I was wondering about some security issues on my system:

I have a web page, with GET parameters (bla.php?name=val) wich are only integer values. I use these values to interact with sql.

Now, I would like to know wich one is better:

Code: Select all

 
 $id = (int)$_GET['id'];
 $query = "SELECT * From bla WHERE id=$id";
 
or

Code: Select all

 
 $id = mysql_real_escape_string((int)$_GET['id']);
 $query = "SELECT * From bla WHERE id=$id";
 
I really prefer using the first code because it's faster to code and to execute but I don't want my code to be vulnerable.

What do you think ?
User avatar
mrvijayakumar
Forum Commoner
Posts: 58
Joined: Tue Aug 18, 2009 12:39 am
Location: Chennai city, India
Contact:

Re: Int casting and Sql injection

Post by mrvijayakumar »

Hi,

Try this URI, you may reach result. It's very simple.

http://www.vijayakumar.org/mysql-inject ... n-php.html

Note: Please please don't forget to comment there for further improvements. Suggestions & ideas are warmly welcome. Thanks.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Int casting and Sql injection

Post by jackpf »

Well, casting to an int will remove all non-numeric characters, so it doesn't really need to be escaped. Although, I sometimes do it for peace of mind :p
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Int casting and Sql injection

Post by Apollo »

nemsis wrote:I really prefer using the first code because it's faster to code and to execute
Faster to execute: hardly. As in, I think posting this actually costed you more time than all your servers together will spend on mysql_real_escape_string execution during the rest of your life :)

Anyway, I would escape at all times. Just in case the int-restriction may be removed in the future, or if you (or someone else) ever copy this piece of code to another situation that is not strictly int, or whatever.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Int casting and Sql injection

Post by Mordred »

@mrvijayakumar: This is some very naive piece of code. I would not recommend anyone to use it. It doesn't trully solve the SQLi problem, while it introduces several more.

+1 to Apollo's advice. The only exception when you strictly need int casting is in the LIMIT clause of the SQL query.
For details, read this article, esp. chapters 4 and 5:
http://www.webappsec.org/projects/artic ... 7.shtml#p4
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Int casting and Sql injection

Post by AbraCadaver »

mrvijayakumar wrote:Hi,

Try this URI, you may reach result. It's very simple.

http://www.vijayakumar.org/mysql-inject ... n-php.html

Note: Please please don't forget to comment there for further improvements. Suggestions & ideas are warmly welcome. Thanks.
My comment is, for the love of $DEITY do not recommend this to anyone. If a beginner gets a hold of this they will be vulnerable and will waste valuable time troubleshooting their script. 8O
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Int casting and Sql injection

Post by John Cartwright »

My rule is absolutely everything get escaped (when writting raw SQL). However, most of the time PDO takes care of this for me :D

Defense in depth, always.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Int casting and Sql injection

Post by kaisellgren »

Too lazy to type that mysql_real_escape_string()? Me, too. It's time to learn OOP.

In my projects, escaping is always handled deep in the core and passing variables to the query is done through parameters. I have even made a scanner that checks no one has made code that enters variables elsewhere than the allowed parameters.

PDO is a useful library that is bundled within PHP. It allows you to do prepared statements easily.
Post Reply