Is sprintf() safe enough to rely on?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
User avatar
New php-forum User
New php-forum User
Posts: 31
Joined: Fri Mar 26, 2004 3:27 pm
Location: Eindhoven, The Netherlands

Fri Mar 25, 2005 4:25 am

Hello everyone!

After reading the sticky posts in this forum about security, I'd like to know if the following would be a secure way to get information from a database:

Code: Select all

function getCompanionInfo($id,&$returnArray){

   global $dbConnection;
      $query = sprintf("SELECT * FROM companions WHERE companion_id = %d LIMIT 1",$id);
      $result = mysql_query($query,$dbConnection);
      $returnArray = mysql_fetch_array($result);
      return $returnArray;
   } else {
      die("This script is protected against SQL injection.");

Any thoughts would be greatly appreciated!

Kind regards,

User avatar
New php-forum User
New php-forum User
Posts: 140
Joined: Sun May 11, 2008 1:40 am
Location: London, UK

Fri Nov 07, 2008 12:25 am

I realise that this is a several year old thread but it saves be creating my own on a simular topic.

The basic rules of how to write more secure SQL:
  • All table and coloum names sould be enclosed between two of these `.
  • All data you are providing sould be enclosed between two of these '.
  • Conditional sections of the sql sould be in brackets ().
  • SQL functions(?) sould be in uppercase.
  • SQL querys sould end with a semi-colon (;).

Code: Select all

SELECT * FROM `companions` WHERE (`companion_id`='%d') LIMIT 1;

When posting code to be reviewed please enclose it in the [ code ] [ /code ] tags as it makes it a lot easier for people to read as it correctly formats itself on screen.

    Click Here to Visit[/url]

    Post Reply