GET parameters vulnerable to SQL Injection - PHP

Question

I\'ve been asked to handle a security issue for a site which was set up by another programmer. As of yet, I haven\'t seen any of the code, so I\'m going off of assumptions a

Answer 1

Yes, mysql_real_escape_string() will escape any potentially hazardous characters. If you know that the arguments are numeric, it would not hurt to verify this aswell using is_numeric()

You should also look at mysql::prepare -- This will ensure that only 1 statement is executed, and prevent additional SQL vulnerabilities.

Answer 2

That function should be fine - your variables are inside single quotes in the SQL statement, and any single, or double quotes will be escaped.

This means that none of the variables can "break out" of the statement.

Answer 3

If ID and PID are integer fields, why not casting them to int.

That way, you are sure to have a number, an no SQL injection :

$pid = (int) $pid;
$id = (int) $id;

Answer 4

Skip the old mysql_* stuff if you can and use PDO.

$pdo = new PDO('mysql:host=localhost;dbname=whatever', $username, $password);

$statement = $pdo->prepare('SELECT * FROM table WHERE pid=:pid AND ID=:id');

$statement->bindParam(':pid', $_GET['pid']);

$statement->bindParam(':id', $_GET['id']);

$results = $statement->execute();

var_dump($results->fetchAll());

Answer 5

That should be fine, but i'd always recommend using prepared statements.