I have this line:
$sql = "UPDATE votes SET up=up+1 WHERE id='{$p}'";
Now from what I’ve read one way of sql injection is caused by not “closing” sql queries properly which allows hackers to add additional info.
So my question is, is that line safe as to me the up=up+1 has not been “closed” but if I set it like this up='up+1' which to me makes it “closed” it does not work.
row up type is int(11) if that makes any difference.
Update:
$p is sanitized with a function
function sanitize($foo) {
if(get_magic_quotes_gpc() == true) {
$foo = stripslashes($foo);
}
return mysql_real_escape_string(htmlspecialchars($foo));
}
The
up=up+1is not vulnerable because it does not accept user input via a variable. It is merely incrementing anINTvalue already in your database.The
WHERE id='{$p}'may be vulnerable, however, if the variable$pis not properly filtered and escaped, but as you added above, it has been sanitized by a function. Hopefully the sanitize function goes as far as checking the appropriate type of the variable (be it an int or string or whatever) and checks the appropriate bounds for it.As always, the safest method is to make use of prepared statements and parameterized queries rather than pass any variables directly into a SQL string. Most of the database APIs available in PHP for the various RDBMS’ support prepared statements. (Notably not the
mysql_*()functions, however).