Escape get values

[Drummin]

Hello, I was wondering if I need to escape all get values.  I often use a $_GET variable as in mypage.php?id=variable to selecting records to view etc.  I usually convert this to a variable to be used in a WHERE statement.

IF ($_GET['id']){
$id=$_GET['id'];
}

But what if someone tried to view all records

http://www.mypage.com/page.php?id=0';SELECT%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0

resulted in all content page data being displayed somehow. Or better yet, if visiting

http://www.mypage.com/page.php?id=0';DELETE%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0

resulted in all content being deleted. 

 

Is that even possible in the in the context of a MySQL WHERE statement?  Seems like the MySQL statement wouldn't be structured correctly and wouldn't work.

I use mysqli_real_escape_string" on posted content but should I also escape all GET input?

[PFMaBiSmAd]

All string data that you put into a query must be escaped. All numerical data that you put into a query must be validated as a number or cast as a number.

 

In the case of your id value, you probably have a query something like -

 

SELECT * FROM your_table WHERE id = $id

 

If you don't validate/cast $id as a number in a query like that, it is possible to inject sql into that query using a hexadecimal encoded string (usually a UNION statement that outputs all the data in the table) that has absolutely no quotes in it so that escaping the data would have no affect on the injected sql. However, casting the value as a number would truncate the hexadecimal encoded string and prevent the sql injection.

 

Php's mysql_query function specifically doesn't support multiple queries separated by ; (because too many people don't escape/validate data being put into a query statement.)

[Drummin]

Thanks PFMaBiSmAd.  Looks like I've got some work to do.