Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

Is sprintf() safe enough to rely on?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Is sprintf() safe enough to rely on?

Postby maurits » Fri Mar 25, 2005 4:25 am

Hello everyone!

After reading the sticky posts in this forum about security, I'd like to know if the following would be a secure way to get information from a database:

Code: Select all
function getCompanionInfo($id,&$returnArray){

   global $dbConnection;
   
   if(is_integer($id)){
      $query = sprintf("SELECT * FROM companions WHERE companion_id = %d LIMIT 1",$id);
      $result = mysql_query($query,$dbConnection);
      $returnArray = mysql_fetch_array($result);
      return $returnArray;
   } else {
      die("This script is protected against SQL injection.");
   }
}


Any thoughts would be greatly appreciated!

Kind regards,
Maurits
User avatar
maurits
New php-forum User
New php-forum User
 
Posts: 31
Joined: Fri Mar 26, 2004 3:27 pm
Location: Eindhoven, The Netherlands

Re: Is sprintf() safe enough to rely on?

Postby AeroX » Fri Nov 07, 2008 12:25 am

I realise that this is a several year old thread but it saves be creating my own on a simular topic.

The basic rules of how to write more secure SQL:
  • All table and coloum names sould be enclosed between two of these `.
  • All data you are providing sould be enclosed between two of these '.
  • Conditional sections of the sql sould be in brackets ().
  • SQL functions(?) sould be in uppercase.
  • SQL querys sould end with a semi-colon (;).
Example:
Code: Select all
SELECT * FROM `companions` WHERE (`companion_id`='%d') LIMIT 1;
User avatar
AeroX
New php-forum User
New php-forum User
 
Posts: 142
Joined: Sun May 11, 2008 1:40 am
Location: London, UK


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron