I'm working on identifying and fixing SQL injection holes. I've made the conversion to pdo/prepared statements in a number of places.
However, we have one page that looks like this:
www.site.com/domain/products/12345/description-of-the-product
In htaccess, this is rewritten to:
www.site.com/domain/product.php?id=12345
The htacess looks like this:
RewriteRule ^(.*)/products/([0-9]+)/([^/\.]+)/?$ /$1/product.php?id=$2 [L]
So, here's my question: Since the url is being rewritten with mod_rewrite, which is only matching against ingtegers, is this some protection against sql injections? If you try anything else in the URL besides an integer, the user just gets a 404 error since the page doesn't exist and the mod_rewrite didn't get activated?
Thanks in advance.