Is (int) and is_int() secure to protect against SQL injections?

Question

So I was wondering is this enough to be safe that user won't do any SQL injections and the number will be only and always integer? The $id in getArticle function is binded to SQL query.

<?php $id = (isset($_GET['id']) && is_int((int)$_GET['id'])) ? (int)$_GET['id'] : false ?>
<?php $news = $class->getArticle($id) ?>

As far I tested it worked fine, but as I'm not totally sure I rather ask you guyz! Ok, people say prepared statements would do the trick. They really would? Like, can I be totally sure that if bind param as integer it will be integer nothing else?

Thanks in advance!

Answer 1

You can simply type cast them to proper type:

$number = intval($_GET['id']);
$string = mysql_real_escape_string(strval($_GET['str']));

To make sure that you get what you are expecting.

The better solution is to use Prepared statements to avoid sql injection.

Answer 2

Use prepared statements. There is no reason NOT to use them. Then you don't have to ask "Is this good enough?"

Answer 3

just use:

$id=(int)@$_GET['id'];

if $_GET['id'] is not set $id will be 0.
if you want to test if id is correctly set use:

if ($id=(int)@$_GET['id']){
  //
} else {
  //invalid id
}

Answer 4

I can't think of any way how this can be used for an SQL-Injection. So I would say it's secure enough.