Page 1 of 1

Int casting and Sql injection

Posted: Tue Dec 01, 2009 6:20 am
by nemsis
Hello guys,

I didn't use to code websites but i'm working on a serious project right now and I was wondering about some security issues on my system:

I have a web page, with GET parameters (bla.php?name=val) wich are only integer values. I use these values to interact with sql.

Now, I would like to know wich one is better:

Code: Select all

 
 $id = (int)$_GET['id'];
 $query = "SELECT * From bla WHERE id=$id";
 
or

Code: Select all

 
 $id = mysql_real_escape_string((int)$_GET['id']);
 $query = "SELECT * From bla WHERE id=$id";
 
I really prefer using the first code because it's faster to code and to execute but I don't want my code to be vulnerable.

What do you think ?

Re: Int casting and Sql injection

Posted: Tue Dec 01, 2009 6:24 am
by mrvijayakumar
Hi,

Try this URI, you may reach result. It's very simple.

http://www.vijayakumar.org/mysql-inject ... n-php.html

Note: Please please don't forget to comment there for further improvements. Suggestions & ideas are warmly welcome. Thanks.

Re: Int casting and Sql injection

Posted: Tue Dec 01, 2009 6:47 am
by jackpf
Well, casting to an int will remove all non-numeric characters, so it doesn't really need to be escaped. Although, I sometimes do it for peace of mind :p

Re: Int casting and Sql injection

Posted: Tue Dec 01, 2009 7:21 am
by Apollo
nemsis wrote:I really prefer using the first code because it's faster to code and to execute
Faster to execute: hardly. As in, I think posting this actually costed you more time than all your servers together will spend on mysql_real_escape_string execution during the rest of your life :)

Anyway, I would escape at all times. Just in case the int-restriction may be removed in the future, or if you (or someone else) ever copy this piece of code to another situation that is not strictly int, or whatever.

Re: Int casting and Sql injection

Posted: Wed Dec 02, 2009 7:04 am
by Mordred
@mrvijayakumar: This is some very naive piece of code. I would not recommend anyone to use it. It doesn't trully solve the SQLi problem, while it introduces several more.

+1 to Apollo's advice. The only exception when you strictly need int casting is in the LIMIT clause of the SQL query.
For details, read this article, esp. chapters 4 and 5:
http://www.webappsec.org/projects/artic ... 7.shtml#p4

Re: Int casting and Sql injection

Posted: Wed Dec 02, 2009 12:43 pm
by AbraCadaver
mrvijayakumar wrote:Hi,

Try this URI, you may reach result. It's very simple.

http://www.vijayakumar.org/mysql-inject ... n-php.html

Note: Please please don't forget to comment there for further improvements. Suggestions & ideas are warmly welcome. Thanks.
My comment is, for the love of $DEITY do not recommend this to anyone. If a beginner gets a hold of this they will be vulnerable and will waste valuable time troubleshooting their script. 8O

Re: Int casting and Sql injection

Posted: Wed Dec 02, 2009 1:45 pm
by John Cartwright
My rule is absolutely everything get escaped (when writting raw SQL). However, most of the time PDO takes care of this for me :D

Defense in depth, always.

Re: Int casting and Sql injection

Posted: Sat Dec 05, 2009 1:02 pm
by kaisellgren
Too lazy to type that mysql_real_escape_string()? Me, too. It's time to learn OOP.

In my projects, escaping is always handled deep in the core and passing variables to the query is done through parameters. I have even made a scanner that checks no one has made code that enters variables elsewhere than the allowed parameters.

PDO is a useful library that is bundled within PHP. It allows you to do prepared statements easily.