is_numeric is it safe to do SELECT?

0

I'm developing an application with PDO, and I usually use bindValue() to run SELECT 's, but I'm developing an application that gets a variable that contains commas and numbers, which will be exploded later.

What I wanted to know is: This way it is safe to avoid attacks, otherwise, how would these attacks be carried out?

$categories = '10,12,22,123,120'; # ESSES SÃO OS ID'S DAS CATEGORIAS DESEJADAS
$category = explode(',', $categories);
for ($i = 0; $i < count($category); $i++) {
    if (is_numeric($category[$i]) {
        $this->condition .= "categoryName = '{$category[$i]}'";
        if ($i < count($category) - 1) {
            $this->condition .= ' AND ';
        }
    }
}
    
asked by anonymous 18.12.2017 / 15:17

1 answer

0

Since it is only a number, I do not think it is possible to make an attack with SQL Injection , but for any doubt you can do this using bindValue() . Just use named parameters:

$categories = '10,12,22,123,120';
$category = explode(',', $categories);
for ($i = 0; $i < count($category); $i++) {
    if (is_numeric($category[$i]) {
        $this->condition .= "categoryName = :category{$i}";
        if ($i < count($category) - 1) {
            $this->condition .= ' AND ';
        }
    }
}
$query = $sua_conexao_pdo->prepare($variavel_com_select." ".$this->condition);
for ($i = 0; $i < count($category); $i++) {
    if (is_numeric($category[$i]) {
        $query->bindValue(":category{$i}", $category[$i], PDO::PARAM_INT);
    }
}
$query->execute();
    
18.12.2017 / 15:26