{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我命由我不由天 的问题《SQL injection | Changing id values》','https://www.manongdao.com/q-1050825.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm stuck with an sql injection problem. My page displays the table's data as follows:
<input type="checkbox" name="id[]" value="<?php echo $row['id']; ?>" /><?php echo $row['data']; ?><br />
How can I be sure that the submitted value is the id of this specific row an not a random number "injected" in the page?
Obviously, I would start checking that the id returns true to is_numeric() / get it through mysql_real_escape_string().
Then, I thought of two options:
Adding a hidden input with a copy of the $row['data'] so that I can check the correspondence between the id and the data before any
mysql_query()Changing the row's id from an auto incremented number to a large random number, so that I could lower the chance of a lucky hit.
Do I have it wrong? Any better idea? Thanks for your help!
You can't. Both of your options are fundamentally flawed as well:
Instead of worrying about how the user sent the data, you should worry whether the data is valid and whether the user has permission for the given action.
Also,
is_numericis not my favorite as it will returntruefor hex and exponential notation. I'd recommend checking withctype_digitor simply do an(int)cast, e.g.:Non-numeric strings are converted to
0and auto increment fields usually have1as the first value. In case0is a valid value you'll need to tweak the code above, e.g.:Afterwards, check whether the given ID exists in your DB. Do the proper permission checks and that's it.
It doesn't matter how your server got the data, what matters is the data being valid and the user having permission to perform the given operation. Anything that you do in the front-end/interface can be easily changed and manipulated by a hacker or any mid-experienced web developer.
Focus into restringing non-authorized access and keeping your DB integrity. It doesn't matter whether the request is being made from your page, from a tampered page or through a terminal, all the headers and posted data can be easily reproduced to look like a request being made from your page.
After all this, I'm not sure whether you can call this "SQL Injection". Your application's function requires some input which includes an integer value. Now what is left is checking whether the necessary input has been provided and is valid. All user input must be treated as unsafe and be properly validated and escaped before being throw into a query.
Also, look into PDO which handles value escaping pretty well. The
mysql_*extension andmysql_real_escape_stringfunction are deprecated and very human-error prone.As for preventing against SQL injection, the linked thread in the question's comments is a good read.