I know you are supposed to prepare all SQL statements where the user has influence over, this question is more to see if you can also have a SQL query where the user can change but you handle the errors differently.
The code which is SQL injectable:
if(isset($_GET['delete']) && (int)$_GET['delete'] && is_numeric($_GET['delete'])){
$query = $handler->query('SELECT * FROM portfolio WHERE id =' . $_GET['delete']);
}
else{
echo'Error';
}
Would the SQL query be safe from injection due to the if
statement around it or is there still some way of injecting it?
This is purely for research and it is obviously not in any real live website.
This is how the code looks when it is prepared just to show that I am not asking how to prepare:
if(isset($_GET['delete']) && (int)$_GET['delete'] && is_numeric($_GET['delete'])){
$query = $handler->prepare('SELECT * FROM portfolio WHERE id = :id');
$query->execute([
':id' => $_GET['delete']
]);
}
else{
echo'Error';
}