sanitize this?

[n8w]

do I need to sanitize this? is $_SERVER['QUERY_STRING']; hackable?

 

$myvar=$_SERVER['QUERY_STRING'];

 

[conker87]

I guess in theory someone could add random bits of php into a query. So I guess so.

 

Use $_GET anyway.

[n8w]

well ... the reason I ask is because I need to figure out the pagination base on the query ... so I actually need to use the same query ... but I want to make sure there is not a chance to highjack this variable $_SERVER['QUERY_STRING']

[conker87]

Are you using the page number in the query for your pagination? If you are, then you can use $_GET

[n8w]

I am using it ... the reason I prefer to use $_SERVER vs. $_GET is because there are another parameters that I want to capture so I can do that more easily $_SERVER['QUERY_STRING'] but I just want to make sure its not hackable like $_GET is

[conker87]

$_GET isn't hackable if you take the correct precautions. mysql_real_escape_string is all you need.

 

$_GET will be a lot easier in the long run. You'll have to strip and separate the QUERY_STRING, with $_GET you got it already.