Quote:
Originally Posted by chrishirst
But the data type cannot and should not be anything.
It should match whatever the column type is that it is being inserted into. Just adding quotes around anything "just in case" so you avoid the server throwing a syntax error is very poor programming practice.
No you certainly wouldn't!
You would know what values and what types are to be inserted in to the SQL query and cast or convert the user supplied data into those types.
Failure to check types and values and/or allowing almost anything to be fed into the query opens up your code to SQL injection abuse and all manners of potential data errors.
|
Let me explain this.
I have a field in MySQL:
username VARCHAR(255)
So the username field has some text that contains max 255 characters. The size of the field is always text length bytes + 1 byte.
If I have a form that has field username, and visitor enters 43534534 in the username field it would become:
mysql_query("SELECT a FROM b WHERE username = '43534534';");
That works fine, MySQL will convert your integer to string that will work with our varchar field. Try to debug, zero errors.
PS. I love to argue with you. I always argue
EDIT: If you still don't believe in me. Tell me why phpBB enters data into MySQL without checking data type? Because it does not have to check it, data will be converted to string in all cases. You understand that putting single quotes around $variable will become always a string if we successfully protect against injections. In some cases injections can be harder to protect like in GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0x27 ('), and 0xbf5c is 0xbf (¿) followed by 0x5c (\). If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. I a kind of know what you think, but I think you are thinking totally different thing what I am thinking. I actually don't even care what are you trying to claim, I will always follow other scripts made by professional coders like IPS - that way I am 100% sure there is nothing going wrong. And actually nothing has ever gone wrong. My word 'ever' consists of many years.
If I have a MySQL field
userid INT(11) UNSIGNED NOT NULL AUTO_INCREMENT
I know the (11) does nothing but clears the sentence. Anyway, then we need to check that our inserted data is integer.
$userid = (int) $_GET['userid'];
---> ready to insert into DB.
That is what we need to do. But we can always use numbers as strings at database and then use numbers as numbers in PHP, ASP or whatever we are coding with.
CHRISHIRST: Let me test you, tell me is this professional MySQL coding or not:
time INT(10) UNSIGNED NOT NULL DEFAULT '0',
Let's assume we are creating a table with some columns and the above is one of those columns.
