n8w Posted June 17, 2008 Share Posted June 17, 2008 do I need to sanitize this? is $_SERVER['QUERY_STRING']; hackable? $myvar=$_SERVER['QUERY_STRING']; Quote Link to comment Share on other sites More sharing options...
conker87 Posted June 17, 2008 Share Posted June 17, 2008 I guess in theory someone could add random bits of php into a query. So I guess so. Use $_GET anyway. Quote Link to comment Share on other sites More sharing options...
n8w Posted June 17, 2008 Author Share Posted June 17, 2008 well ... the reason I ask is because I need to figure out the pagination base on the query ... so I actually need to use the same query ... but I want to make sure there is not a chance to highjack this variable $_SERVER['QUERY_STRING'] Quote Link to comment Share on other sites More sharing options...
conker87 Posted June 17, 2008 Share Posted June 17, 2008 Are you using the page number in the query for your pagination? If you are, then you can use $_GET Quote Link to comment Share on other sites More sharing options...
n8w Posted June 17, 2008 Author Share Posted June 17, 2008 I am using it ... the reason I prefer to use $_SERVER vs. $_GET is because there are another parameters that I want to capture so I can do that more easily $_SERVER['QUERY_STRING'] but I just want to make sure its not hackable like $_GET is Quote Link to comment Share on other sites More sharing options...
conker87 Posted June 17, 2008 Share Posted June 17, 2008 $_GET isn't hackable if you take the correct precautions. mysql_real_escape_string is all you need. $_GET will be a lot easier in the long run. You'll have to strip and separate the QUERY_STRING, with $_GET you got it already. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.