MySQL Injection Prevention

Robust

Robust

Well-known member
So, I have a few files that uses XF's framework. They directly get data from the POST or GET globals. If running a MySQL query, are injections automatically prevented or do I need to use a prepared statement? If the latter, does XenForo have any practice that should be used for this?

Example:

$userId = $_GET['user'];
$query = $db->fetchRow(' SELECT * FROM xf_user WHERE user_id = ?, $userId);
 
Assuming you don't have access to $this->_input, you can always cast your variable as an integer since user_id should always be an integer. Using something like:

Code: 
$userId = (int) $userId;
 
Jake B. said:
Assuming you don't have access to $this->_input, you can always cast your variable as an integer since user_id should always be an integer. Using something like:

Code: 
$userId = (int) $userId;
Click to expand...
That was just an example, using strings in the other script. Not sure if _input is available. It's just a basic init of XenForo. No styling on the page either. Returns json_encoded data.
 
Robust said:
If running a MySQL query, are injections automatically prevented or do I need to use a prepared statement?
Click to expand...
Ignoring the parse error as I assume you just typed that, but your example is using a prepared statement to inject the variable content, thus is protected.
 
You must log in or register to reply here.

Similar threads

C
How to insert POST data into MySQL via Form through Xenforo with SQL Injection Prevention
Replies
4
Views
2K
calnet
C
ChadTheDJ
  • Question Question
SQL injection help and prevention
Replies
4
Views
3K
ChadTheDJ
ChadTheDJ
Back
Top Bottom