I use is_numeric for everything, the only input I get from users is a form with an Student ID number....
I recently was reading up on SQL Injections and was wondering if the following precaution is necessary?
Currently I have:
if(is_numeric($_POST['sid']){
$sid = $_POST['sid'];
$query = "select * from student where sid='".$sid."'";
// More Code...
}
What I've read is safer
if(is_numeric($_POST['sid']){
$sid = (int) $_POST['sid'];
$query = "select * from student where sid='".$sid."'";
// More Code...
}
Is one version really safer than the other? How would someone bypass 'is_numeric'?
Also, would this be any less safe than what I currently have?
if(is_numeric($_POST['sid']){
$query = "select * from student where sid='".$_POST['sid']."'";
// More Code...
}
So, I guess what I am really asking, is if one of these code blocks is truly safer than another one
EDIT: Sorry I didn't state this early but I am using oracle 10g database, not mysql. With oci_connect();
Why are you going through these questions asking about how you can sanitize your inputs so that you can build SQL statements from outside data? Building SQL statements from outside data is dangerous.
Rather than wasting your time worrying about how you can come up with another halfway thought out "solution", stop and put on your Big Programmer Pants and start using prepared statements and bound variables.
Here is a fantastic answer that will get you started: How can I prevent SQL injection in PHP?
You can also check http://bobby-tables.com/php for other examples.
Looks to me like you can still do prepared statements and bound variables with Oracle: http://php.net/manual/en/function.oci-bind-by-name.php or through PDO http://php.net/manual/en/pdostatement.bindparam.php