PHP is_numeric function bypasses generating SQL injection

Honest mysql_real_escape_string () to prevent death ... is_numeric's SQL utilization condition is a bit harsh, but still less good = =

There are also actual cases in a CTF, please poke http://drops.wooyun.org/tips/870

First. Introduction of Is_numberic function
Domestic part of the CMS program has been useful to the Is_numberic function, we first look at the structure of this function
BOOL Is_numeric (mixed $var)
Returns TRUE if Var is a numeric and numeric string, otherwise FALSE is returned.

Second, the function is safe

Let's look at an example to see if this function is safe.

The code is as follows: $s = is_numeric ($_get[' s ')? $_get[' s ']:0;
$sql = "INSERT into test (type) values ($s);"; VALUES ($s) are not values (' $s ')
mysql_query ($sql);

The above fragment program is to determine whether the parameter S is a number, is to return a number, not to return 0, and then brought into the database query. (This will not construct the SQL statement)
We convert ' 1 or 1 ' to the value of the ' s ' parameter for the 16 binary 0x31206f722031
After the program runs, we query the database to see, such as:

If you re-query the field of this table out, do not filter into another SQL statement, will cause 2 injections.

Third. Summary
Try not to use this function, if you want to use this function, it is recommended to use the canonical SQL statement, conditional add single quotation marks, so that the 16 binary 0x31206f722031 will be displayed in the database. No 1 or 1 will appear.

Original link

PHP is_numeric function bypasses generating SQL injection