I just discovered this, I use MySQL as my database. When i do something

Question

0

Editorial Team

Asked: May 26, 20262026-05-26T02:26:26+00:00 2026-05-26T02:26:26+00:00

I just discovered this, I use MySQL as my database. When i do something

0

I just discovered this, I use MySQL as my database.

When i do something like:

$query = $this->db->where('id', '6rubbish')->get('posts', 1);

it generates and executes this SQL:

SELECT *
FROM (`posts`)
WHERE `id` =  '6rubbish'
LIMIT 1

The surprising thing is that it actually fetches the post with the ID 6.

I find this very vulnerable in same cases because i’m trying to exactly match the ID, not to do a LIKE query.

Any ideas?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T02:26:26+00:00

Yes.

Read Type Conversion in Expression Evaluation
Use intval() PHP function to extract the integer part of the variable
Or use is_int to exclude any variable that is not a pure integer

But the origin of the problem is that your query generator library doesn’t understand the variable types, PHP being a dynamic typed language doesn’t help too.

I don’t know what library you’re using, maybe there is an option to tell that you’re passing an int? It should protect you from SQL injection, I hope, try with:

$query = $this->db->where('id', "don't")->get('posts', 1);

and see if the generated SQL has the single quoted escaped (doubled or preceded by backslash).

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I just discovered this, I use MySQL as my database. When i do something

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply