If you check the id for the presence of letters, can you protect yourself from sql injection?

J

Jony13372016-11-12 11:11:04

PHP

Jony1337, 2016-11-12 11:11:04

That's what kind of check I have on the site

function check_for_number($str) {
  $i = strlen($str); 
  while ($i--) {
    if (is_numeric($str[$i])) 
return true;
  
    else {
 echo '<script type="text/javascript">window.location.replace("example.com");</script>';
  }
  }

}
$idq = $_GET ['id'];
check_for_number ($idq);

if instead of id we have a string or numbers along with letters we will have a redirection , is it safe?
check_for_number only skips numbers

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

O

Optimus, 2016-11-12
Pyan @marrk2

Be simple$idq = intval($_GET ['id']);

O

OnYourLips, 2016-11-12
@OnYourLips

First you must validate the http request.
And then use ORM or DBAL to execute the request, and use placeholders.

K

Kirill Zhilyaev, 2016-11-12
@kirill_782

First, the redict is not very good . It's
better to do this: header ("Location: $url");
Secondly, if the string ends with a number, then it will return true.
If you need to calculate the ratio of digits to letters, then it is better to parse the digits with a regular expression and compare with the total number (after cutting off the spaces from the beginning and end).