<?php //-------------------------------------------------- // Just while the function is re-named if (!function_exists('is_trusted')) { function is_trusted($value) { return is_literal($value); } } //-------------------------------------------------- $limit = trim(' 100 '); // Not trusted $_GET['ids'] = [trim(' 1 '), 2, 3]; var_dump($_GET['ids'][0], is_trusted($_GET['ids'][0])); $ids_untrusted = ( $_GET['ids'] ?? [] ); $ids_trusted = array_map( 'intval', $ids_untrusted ); //-------------------------------------------------- $sql = 'SELECT * FROM foo WHERE id IN (' . implode( ',', $ids_untrusted ) . ')'; // Whoops var_dump($sql, is_trusted($sql)); //-------------------------------------------------- $sql = 'SELECT * FROM foo WHERE id IN (' . implode( ',', $ids_trusted ) . ')'; var_dump($sql, is_trusted($sql)); //-------------------------------------------------- $sql = sprintf( 'SELECT * FROM foo WHERE id IN (%s)', implode( ',', $ids_trusted ) ); var_dump($sql, is_trusted($sql)); //-------------------------------------------------- $sql = sprintf( 'SELECT * FROM foo LIMIT %d', (int)$limit ); var_dump($sql, is_trusted($sql)); ?>
You have javascript disabled. You will not be able to edit any code.