Possible Duplicate:
How to prevent SQL injection in PHP?
Consider this snippet,
*mysqltest.php*
$user_id= $_GET['user_id'];
$user_id= mysql_real_escape_string($user_id);
$query = "SELECT * FROM people WHERE uid=".$user_id;
echo $query;
//then execution ..
Now, when we call this script as “mysqltest.php?user_id=56 or 1”
The query would be,
SELECT * FROM people WHERE uid=56 or 1 and result in successful injection.
So how can we protect ourselves at such situations where the column is of numeric types?
Is there any other work arounds at these situations without using pdo or prepared statements?
There are no “other issues” for the mysql_real_escape_string.
Most people confuse this function, thinking it’s intended to protect them from injection by “cleaninig” somehow whatever “user input”.
This is wrong for sure.
mysql_real_escape_string intended to format strings, making them good for the SQL query. That’s all. As a side effect it makes injection impossible too.
So, every time one is going to add a string into query dynamically, they have to follow both string formatting rules, no matter of the data source:
as they are useless one without another.
Though it’s all right to treat numbers as strings.
So, for the given example you cat treat your data as a string, as it was suggested in the deleted answer
the only exception is a LIMIT clause parameters that have to be integers only.
the only solution in this case would be to cast the data to desired format manually
but remember, there are other cases, which require different treatment
One more thing to add.
It is boring to format your data manually.
Much better to let some code to do it for you, making code both short and safe