It is assumed that the cast user data to a numeric type is fully protected from SQL injection vulnerabilities.
Look at simple example:
This code looks like SQLi protected, but it is not true.
Do not forget two obvious facts:
1. Minus is SQL operatator
2. Numbers can be negative
Now its easy to understand SQL logic in this case (w/o injection):
And SQL injection attack vector in this case:
In our example attacker can bypass auth.
This example requires tables role and role0 both in database.
Look at simple example:
$action=$_GET['do'];
$r=$db->query("select role".((int)$action)." from users where id=".((int)$_SESSION['user_id']));
if($row=$r->fetchArray()){
if((int)$row[0]!==1){
die('permission denied');
}else{
doAction($action);
}
}
This code looks like SQLi protected, but it is not true.
Do not forget two obvious facts:
1. Minus is SQL operatator
2. Numbers can be negative
Now its easy to understand SQL logic in this case (w/o injection):
select role0 from users where id=0
And SQL injection attack vector in this case:
select role-1from users where id=0
In our example attacker can bypass auth.
This example requires tables role and role0 both in database.