• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

MySQL Injection Prevention

Robust

Well-known member
#1
So, I have a few files that uses XF's framework. They directly get data from the POST or GET globals. If running a MySQL query, are injections automatically prevented or do I need to use a prepared statement? If the latter, does XenForo have any practice that should be used for this?

Example:

$userId = $_GET['user'];
$query = $db->fetchRow(' SELECT * FROM xf_user WHERE user_id = ?, $userId);
 

Jake B.

Well-known member
#2
Assuming you don't have access to $this->_input, you can always cast your variable as an integer since user_id should always be an integer. Using something like:

Code:
$userId = (int) $userId;
 

Robust

Well-known member
#3
Assuming you don't have access to $this->_input, you can always cast your variable as an integer since user_id should always be an integer. Using something like:

Code:
$userId = (int) $userId;
That was just an example, using strings in the other script. Not sure if _input is available. It's just a basic init of XenForo. No styling on the page either. Returns json_encoded data.
 

Mike

XenForo developer
Staff member
#4
If running a MySQL query, are injections automatically prevented or do I need to use a prepared statement?
Ignoring the parse error as I assume you just typed that, but your example is using a prepared statement to inject the variable content, thus is protected.