use of .sql file and str replace userid safety issue

Questionsuse of .sql file and str replace userid safety issue
Peter Broekman asked 5 years ago

Abu,

I make use of a .sql file to have the php file lighter and have more overview, like below. In this sql I defined a string ‘varuserid’, that I replace with $userid being the user that logs in. Below actually works, but should I do this with binding the paramater for safety reasons?
see below the .sql latest part where I ‘defined’ ‘varuserid’

image.png

$sqlFEC502 = file_get_contents(“queries/FE-C50-2-Edit table People (hours time time).sql”);
$sqlFEC502 = str_replace(“varuserid”,$userid,$sqlFEC502);
$g->select_command = $sqlFEC502;

1 Answers
Peter Broekman answered 5 years ago

Hello,

Considering security perspective, every data from client side (post,get,cookie) is considered unsafe unless sanitized.
So its better to check if it contains expected range of values before using in query.

$sqlFEC502 = str_replace(“varuserid”,$userid,$sqlFEC502);

If this userid is posted from client and its numeric, so its better to do 
$userid = intval($userid);
This will either make it 0 if non-numeric data is posted.
 
If it is taken from session, then no issues.

Regards,

— Abu Ghufran

Your Answer

10 + 6 =

Login with your Social Id:

OR, enter

Attach code here and paste link in question.
Attach screenshot here and paste link in question.



How useful was this discussion?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate it.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?