Rick Joe Rick Joe - 1 year ago 121
SQL Question

mysql is_numeric sql injection

I have a pagination in my webpage. So I want to add a line to my query if I have a post from pagination:

$q="";
if(isset($_POST["inpi"])){
$in = $_POST["inpi"];
if(is_numeric($in)){
$q = "and c.id < '$in'"; // add this to mysql
}
else{die("something is wrong!");}
}


So I can't use prepare statments here.

select k.user, c.id, c.from, c.sent, c.message, c.recd from chat c
inner join cadastro k on c.from=k.id
where `from`=? and `to`=? $q


notice the $q variable, it will have no value if post is empty or the and c.id < '$in'.

is it secure enought?

Answer Source

You can always accumulate arguments as you go and build it out like this:

$query = "SELECT ... WHERE `from`=? AND `to`=?";
$binds = array("ss", &$from, &$to);

if (isset($_POST["inpi"])) {
  $query .= " AND c.id < ?";

  $$binds[0] .= "i";
  $binds[] = &$_POST["inpi"];
}

$stmt = $mysqli->prepare($query);

call_user_func_array(array($stmt, 'bind_param'), $binds);

I haven't tested this, but it's based on this code and may require some adjustments to work.

PDO's execute() function takes an array straight up, it's way easier to work with.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download