(security) ' in where

Anon

When thinking about security it is best to use ' around number input from a webuser in the WHERE part of my query. But does is this query run slower than a query without ' around numbers? How does this work?

I want to protect my system from user input such as comment, AND operator, and OR operator. Is the best way to include ' in queries, or should I precheck the number to verify that they really are number?

Fredrik

Anon

I just came to the idea that this might do it,e.g. ensuring that it is a number:

$id = $id * 1;

$theSQL = "SELECT * FROM table WHERE ID=$id"

But that's just an idea.

Anon

Hi.

On Mon, Jul 23, 2001 at 05:24:45PM +0200, russlndr@online.no wrote:

Hi

When thinking about security it is best to use ' around number input
from a webuser in the WHERE part of my query. But does is this query
run slower than a query without ' around numbers? How does this
work?

Just putting single quotes around the input is not enough. I could
type in a single quote to get around your single quotes this way. Of
course, you want to use the proper escape function (like
mysql_real_escape_string) to be on the safe side.

The query won't run slower, because MySQL converts the string to a
number, if the column you compare against is a number. (The other way
around, comparing an VARCHAR column with an integer constant will
slow down the query.)

I want to protect my system from user input such as comment, AND
operator, and OR operator. Is the best way to include ' in queries,
or should I precheck the number to verify that they really are
number?

IMHO, the Right Thing is to pre-check that the number only consists of
digits. That way, you can also return a more precise error message
than just complaining about a not found entry with invalid numbers.

Bye,

    Benjamin.