0

I've a php code where I get the page number from a GET request and then run a sql query to select records from the database by the page number

$maxPerPage = 20;

$page = $_GET["p"];

$applicants = DB::query('SELECT * FROM registrees ORDER BY id DESC LIMIT 
'.$page*$maxPerPage.','.$maxPerPage);

My question is can someone inject an SQL query in this code ? and if it could happen, I need examples of the sql-injection that can run here.

The problem here that the $page is multiplied with $maxPerPage if I tried to add any string in $page php will throw this error A non-numeric value encountered.

Any ideas ?

Improve this question
3
  • 1
    The answer looks obvious enough that I assume this is a homework problem. Commented Nov 23, 2019 at 15:51
  • 1
    Regardless of whether or not there is an injection point, why wouldn't you use prepared queries? You are basically asking "do I have to do this the safe way?" Never ask that question. Always default to the safe way and then only change tactics when absolutely necessary and you have clearly proven it safe. Also, in the meantime, why not convert $page to an int? Commented Nov 23, 2019 at 23:59
  • 3
    Also, letting your system generate an error when presented with unexpected input is not a reasonable choice under any circumstances. Commented Nov 24, 2019 at 0:00

1 Answer 1

Reset to default
3

The code in its current status is not running if $page is a string, so if you can't parse unexpected data, then it's not injectable. Even encoded commands would require the ability to parse more than just numerical data.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.