php - Do i have to escape input using mysqli_real_escape_string even though i check it using is_numeric to prevent sql injection -

-

I am using $ _GET ['id'] to get the ID And see it DB

I think if I use the is_numeric function to check the string, then it is numeric or not, then I use the mysqli_real_escape_string I>. But recently it was found.

It was found whether the given variable is numeric or not. Numeric strings include optional sign, any number of digits, optional decimal part, and optional exponential part. Thus + 0123.45e6 is a valid numeric value. There is also permission for hexadecimal (such as 0xf4c3b00c), binary (eg 0b 10101111001), October (eg 0777) signaling, but without any indication, decimal and exponential part referee:

The question is Do I have to avoid input using mysqli_real_escape_string, though I check it using is_numeric to prevent SQL injection ?

As the input will only have numerical value eg. 555, 222,456, 879

Although I can not think of a specific way of attacking your example, I can not think in a way! "=" This is not possible ".

If you come into the habit of checking, and then cross the values, then eventually you will get in Trouble!

Your statement "Input is only numeric value like 555, 222 ,456, 879" This is not true because you have given some more complicated examples in your quote - how do SQL + 0123.45 A6 or 0b10? A string in which there is a number

For this reason, always the US WARNING STATEMENTS - There is a need to worry about the way you do not do it. If you can find the reason for not using the prepared statement (and I do not think there is one! ) Then lets talk.

Comments

Post a Comment

Popular posts from this blog

php - PDO bindParam() fatal error -

-
I am trying to learn PDO, now I have written this small code, but it gives me a serious error: < P> Fatal error: Call a member function at a non-object dot () ... $ con = new mysqli ("127.0.0.1", "root", "", "csvdangercheck"); $ Query = $ con- & gt; ("Id,` var1`, `var2`) values ​​(" id,: var1,: var2) ";); $ query- & gt; bypass pattern (': id', $ id); $ query- & gt; BindParam (': var1', $ VAL1); $ Query- & gt; bindParam (': var2', $ val2); $ Query-> Executed (); I Trying to use print_r ($ con-> errorInfo ()) but Fatal error: Undefined method mysqli :: errorInfo ( ) ... can someone tell me what am I missing? Flaffeh said, you have PDO Missing Mysqy, try it: $ con = new PDO ('mysql: host = 127.0.0.1; dbname = csvdangercheck', 'root', '');
Read more

logging - How can I log both the Request.InputStream and Response.OutputStream traffic in my ASP.NET MVC3 Application for specific Actions? -

-
For a specific set of tasks, I need to log in to the incoming request inputstream as well as outgoing response. is. I am using an ActionFilterAttribute for this and overriding the OnActionExecuted and OnResultExecuted methods. So I'm starting with this idea ... Public category ActionLoggerAttribute: ActionFilterArrbit {Public Override Zero On-Offed Execution (ActionActioned Contact Filter Filter) {base.OnActionAxecuted (FilterContext); HttpRequestBase request = filterContext.HttpContext.Request; // TODO: Log the request. InputStream} Public Override Zero OnResultExecuted (ResultExecutedContext FilterContext) {base.OnResultExecuted (filterContext); HTTPRPSPointBase Response = FilterContacts Hpptex response; // TODO: Log on Response.OutputStream}} Ideally I'll hook it up with enterprise library logging because I'm already using it for error logging. Am I reaching the input and output stream at the right time? Can I easily use the Enterprise Library to log i
Read more

java - Why my included JSP file won't get processed correctly? -

-
I am trying to create Java web framework (and learning), and on the basis of 'Code Generator In the process of making the material view of the database in the process of development, I stumbled into a difficulty, which I do not know how to solve it. First of all, I want the following index.jsp : & lt; Body & gt; Use all pages to be created. & Lt;% @ include file = "header.jsp"% & gt; & Lt; Hours / & gt; & Lt;% @ included file = "body.jsp"%> & Lt; Hours / & gt; & Lt;% @ include file = "footer.jsp"% & gt; & Lt; / Body & gt; And, in body.jsp , I should have it like this: & lt; Jsp: include page = "$ {Application_modul}"%> Where application_modul is an attribute defined in its controller: request.setAttribute ("application_modul", "USER_ACCOUNT \\ ' View_user_account.jsp "); This file can be found properly, but the processed JSP does
Read more