Jump to content

[SOLVED] Clean a Get Querystring


webref.eu

Recommended Posts

If I'm doing this:

 

$ProductId = $_GET['ProductId'];

 

which will populate a hidden field in my "Add a Review" form, and then get inserted into the Reviews table of my database in the ProductId field, what do I need to do to make sure I have cleaned the querystring? 

 

I will be using mysql_real_escape_string when inserting into the database, so do I have to do anything more than this??

 

Thanks all.

Link to comment
https://forums.phpfreaks.com/topic/118941-solved-clean-a-get-querystring/
Share on other sites

best way to do is to requery your products table to verify the Id and then insert if match

 

i.e

<?php
$id  = $_GET['id'];
$q = "select id from `products` where id = '".mysql_real_escape_string($id)."'";
$r = mysql_query($q) or die(mysql_error()."<br /><br />".$q);
if(mysql_num_rows($r) >0){
#valid id insert
}
else{
#id wasn't found don't insert
}
?>

 

I use htmlentities as well to make sure nobody tried to insert any javascript or html.  Also be sure to quote your values in the query (I.E. "INSERT INTO table (productId, something) VALUES ('$quote', '$these')").

 

You need to make sure anything going into or being checked aganist mysql is escaped properly also thus mysql_real_escape_string does this.

 

As stated also in the manual, a good way to write queries is using sprintf(), by also escaping input with mysql_real_escape_string().

 

<?php
$id = $_GET['id'];
$sql = sprintf("SELECT title FROM pages WHERE id=%s", mysql_real_escape_string($id));
?>

 

It will work exactly as suggested by cooldude832, its just (imo) a nice way of writting queries.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.