could i safely assume (if i’m just GETting an id number) that is_numeric is good enough to thwart sql injection attacks? or is there sql injection methods that can pass through is_numeric?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
could i safely assume (if i’m just GETting an id number) that is_numeric is good enough to thwart sql injection attacks? or is there sql injection methods that can pass through is_numeric?
You’d be better served to just do:
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;This way you can avoid the
is_numericfunction overhead. Either method is sufficient to avoid injection, though (as long as you do something to the data ifis_numericreturns FALSE). The ternary operator also makes sure you don’t get an E_NOTICE if the $_GET variable in question doesn’t exist.