Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>You can't. Both of your options are fundamentally flawed as well:</p> <ul> <li>One that can change a checkbox's value can very well change a hidden input's value.</li> <li>Your "random IDs" can still be saw on <a href="https://developers.google.com/chrome-developer-tools/" rel="nofollow noreferrer">Dev Tools</a>, Firebug or similar tool.</li> </ul> <p>Instead of worrying about <em>how</em> the user sent the data, you should worry whether the data is valid and whether the user has permission for the given action.</p> <hr> <p>Also, <a href="http://php.net/manual/en/function.is-numeric.php" rel="nofollow noreferrer"><code>is_numeric</code></a> is not my favorite as it will return <code>true</code> for hex and exponential notation. I'd recommend checking with <a href="http://php.net/manual/en/function.ctype-digit.php" rel="nofollow noreferrer"><code>ctype_digit</code></a> or simply do an <code>(int)</code> cast, e.g.:</p> <pre><code>if (!isset($_POST['id'])) die('invalid data'); $id = (int) $_POST['id']; if ($id == 0) die('invalid id'); </code></pre> <p>Non-numeric strings are converted to <code>0</code> and auto increment fields usually have <code>1</code> as the first value. In case <code>0</code> is a valid value you'll need to tweak the code above, e.g.:</p> <pre><code>if (!isset($_POST['id']) || !ctype_digit($_POST['id'])) die('invalid data'); $id = (int) $_POST['id']; </code></pre> <p>Afterwards, check whether the given ID exists in your DB. Do the proper permission checks and that's it.</p> <hr> <p>It doesn't matter how your server got the data, what matters is the data being valid and the user having permission to perform the given operation. Anything that you do in the front-end/interface can be easily changed and manipulated by a hacker or any mid-experienced web developer.</p> <p>Focus into restringing non-authorized access and keeping your DB integrity. It doesn't matter whether the request is being made from your page, from a tampered page or through a terminal, all the headers and posted data can be easily reproduced to <em>look like</em> a request being made from your page.</p> <hr> <p>After all this, I'm not sure whether you can call this "SQL Injection". Your application's function requires some input which includes an integer value. Now what is left is checking whether the necessary input has been provided and is valid. All user input must be treated as unsafe and be properly validated and escaped before being throw into a query.</p> <p>Also, look into <a href="https://stackoverflow.com/tags/pdo/info">PDO</a> which handles value escaping pretty well. The <code>mysql_*</code> extension and <code>mysql_real_escape_string</code> function are deprecated and very human-error prone.</p> <p>As for preventing against SQL injection, the <a href="https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php">linked thread</a> in the question's comments is a good read.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload