Rick Joe Rick Joe - 1 year ago 114
SQL Question

mysql is_numeric sql injection

I have a pagination in my webpage. So I want to add a line to my query if I have a post from pagination:

$in = $_POST["inpi"];
$q = "and c.id < '$in'"; // add this to mysql
else{die("something is wrong!");}

So I can't use prepare statments here.

select k.user, c.id, c.from, c.sent, c.message, c.recd from chat c
inner join cadastro k on c.from=k.id
where `from`=? and `to`=? $q

notice the $q variable, it will have no value if post is empty or the and c.id < '$in'.

is it secure enought?

Answer Source

You can always accumulate arguments as you go and build it out like this:

$query = "SELECT ... WHERE `from`=? AND `to`=?";
$binds = array("ss", &$from, &$to);

if (isset($_POST["inpi"])) {
  $query .= " AND c.id < ?";

  $$binds[0] .= "i";
  $binds[] = &$_POST["inpi"];

$stmt = $mysqli->prepare($query);

call_user_func_array(array($stmt, 'bind_param'), $binds);

I haven't tested this, but it's based on this code and may require some adjustments to work.

PDO's execute() function takes an array straight up, it's way easier to work with.