10

Below is the following pseudo-code:

public  updated(int id) {

  // Note that variable **id** is not surrounded by single/double quotes. 

  sql = "Update table user set status=2 where user_id=**id** ";  

  // execute command
}

Is this vulnerable to SQL injection ( Arithmetic SQL injection perhaps) ?

Arminius
  • 44,770
  • 14
  • 145
  • 139
GearLab
  • 139
  • 1
  • 1
  • 5
  • 2
    No, SQL injection is not possible in this case – paj28 Nov 11 '16 at 12:36
  • 4
    As long as this is a language which enforces types, it should be safe. If the "int" is considered a type hint which can be ignored, might not be. However, this would be unusual... – Matthew Nov 11 '16 at 13:12
  • 4
    While this isn't vulnerable, I'd still ditch this style of building queries in favour of parameterized queries. – CodesInChaos Nov 11 '16 at 13:14

2 Answers2

9

No, your query expects an integer and is guaranteed to get one. An SQL injection vulnerability only emerges when an attacker can supply unexpected data that would alter the query. Different integers don't influence the syntax. But as soon as you stop enforcing the type it becomes unsafe.

As @CodesInChaos remarked, if you are the author of this snippet you should consider using parametrized queries instead. That way the supplied type becomes irrelevant which is easier to audit and harder to break by accident.

Arminius
  • 44,770
  • 14
  • 145
  • 139
0

There are no known techniques for performing SQL injections via integers. But note that non-integer numbers are vulnerable to SQL injection in some cases via Lateral SQL Injection. Its not clear if integers will remain safe forever.

As other answers have mentioned - use parameterized queries even for numbers and dates.

Egret
  • 446
  • 3
  • 6