webref.eu Posted August 9, 2008 Share Posted August 9, 2008 If I'm doing this: $ProductId = $_GET['ProductId']; which will populate a hidden field in my "Add a Review" form, and then get inserted into the Reviews table of my database in the ProductId field, what do I need to do to make sure I have cleaned the querystring? I will be using mysql_real_escape_string when inserting into the database, so do I have to do anything more than this?? Thanks all. Link to comment https://forums.phpfreaks.com/topic/118941-solved-clean-a-get-querystring/ Share on other sites More sharing options...
rawb Posted August 9, 2008 Share Posted August 9, 2008 I use htmlentities as well to make sure nobody tried to insert any javascript or html. Also be sure to quote your values in the query (I.E. "INSERT INTO table (productId, something) VALUES ('$quote', '$these')"). Link to comment https://forums.phpfreaks.com/topic/118941-solved-clean-a-get-querystring/#findComment-612441 Share on other sites More sharing options...
cooldude832 Posted August 9, 2008 Share Posted August 9, 2008 best way to do is to requery your products table to verify the Id and then insert if match i.e <?php $id = $_GET['id']; $q = "select id from `products` where id = '".mysql_real_escape_string($id)."'"; $r = mysql_query($q) or die(mysql_error()."<br /><br />".$q); if(mysql_num_rows($r) >0){ #valid id insert } else{ #id wasn't found don't insert } ?> I use htmlentities as well to make sure nobody tried to insert any javascript or html. Also be sure to quote your values in the query (I.E. "INSERT INTO table (productId, something) VALUES ('$quote', '$these')"). You need to make sure anything going into or being checked aganist mysql is escaped properly also thus mysql_real_escape_string does this. Link to comment https://forums.phpfreaks.com/topic/118941-solved-clean-a-get-querystring/#findComment-612445 Share on other sites More sharing options...
Fadion Posted August 10, 2008 Share Posted August 10, 2008 As stated also in the manual, a good way to write queries is using sprintf(), by also escaping input with mysql_real_escape_string(). <?php $id = $_GET['id']; $sql = sprintf("SELECT title FROM pages WHERE id=%s", mysql_real_escape_string($id)); ?> It will work exactly as suggested by cooldude832, its just (imo) a nice way of writting queries. Link to comment https://forums.phpfreaks.com/topic/118941-solved-clean-a-get-querystring/#findComment-612642 Share on other sites More sharing options...
webref.eu Posted August 10, 2008 Author Share Posted August 10, 2008 Thanks everybody for your suggestions. cooldude832 querying the database is a great suggestion, thanks. Link to comment https://forums.phpfreaks.com/topic/118941-solved-clean-a-get-querystring/#findComment-612886 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.