Reputation: 53607
IS multiplying by 1 a safe way to clean numeric values against sql injections?
I am wondering, If I have a value I know should be numeric, is multiplying it by 1 a safe method to clean it?
function x($p1){
$p1*=1;
sql="select * from t where id ={$p1}";
//run query..
}
Although my example uses an ID, this is being used for many types of numeric values I have in my app (can be money, can be pai etc).
Upvotes: 4
Views: 156
Answers (6)
Reputation: 67735
It works most of the times as it will cast strings to integers or doubles, but you have to be careful. It's going to work correctly for scalar values. However, if you do this:
x(new stdClass);
You'll get an E_NOTICE. This is not so bad, right? This:
x(array());
And you'll get an E_ERROR, Unsupported operand types, and the script terminates.
Maybe you'd think that it isn't so bad, but a fatal error at an inopportune moment can leave your system in an unstable state, per example, by losing referential integrity or leaving a series of queries unfinished.
Only you knows if a case like the above can happen. But if this data comes from a user in any way, I'd go with Murphy's Law on this one and not trust it.
Upvotes: 0
Reputation: 21363
While that'll probably work, intval seems like a better solution. http://php.net/manual/en/function.intval.php. Your intent will likely be more obvious to someone else reading your code.
If you want to check if a value is numeric before converting it to an int, use is_numeric ( http://php.net/manual/en/function.is-numeric.php ). It'll check for strings that are numeric as well as integers. For example, if a number was coming back from a text input form via AJAX, it might be a string. In that case, is_int would return false, but is_numeric would return true.
EDIT
Now that I know you use DECIMAL for the MySQL column type, you can do something like this:
function getItem($pValue)
{
if (!is_numeric($pValue))
{
return false;
}
$Query = sprintf
(
'SELECT * FROM %s WHERE %s = %.2f',
'TableName',
'Price',
$pValue
);
// Do something with $Query
}
Upvotes: 0
Reputation: 7989
I'm sure there is a more "appropriate" way, but for the scope of your question, I would say yes. If some sort of string is passed PHP will interpret it as a zero when doing the mathematical operation.
Upvotes: 0
Reputation: 31750
I don't see why it wouldn't be. But what's wrong with using prepared statements? That's always going to be safer than using PHP variables directly in SQL statements.
Upvotes: 2
Related Questions
- Passing numeric variable and preventing SQL injection
- Is casting user input to an integer sufficient to sanitize it?
- Is filter_var sufficient to sanitise integer input for PHP-based MySQL queries?
- Does is_numeric() mean a var is safe for MySQL?
- PHP MySQL injection security: Does verifying that $_GET input is numeric provide enough protection?
- PHP conversion against injection for numerical parameters
- How to validate integer values to avoid SQL injection?
- in php can an sql injection possibly make it through is_numeric function?
- Should numbers from user input be quoted in MySQL queries to help avoid SQL injection attacks?
- Sanitizing Integer Database Input