webref.eu Posted August 9, 2008 Share Posted August 9, 2008 If I'm doing this: $ProductId = $_GET['ProductId']; which will populate a hidden field in my "Add a Review" form, and then get inserted into the Reviews table of my database in the ProductId field, what do I need to do to make sure I have cleaned the querystring? I will be using mysql_real_escape_string when inserting into the database, so do I have to do anything more than this?? Thanks all. Quote Link to comment Share on other sites More sharing options...
rawb Posted August 9, 2008 Share Posted August 9, 2008 I use htmlentities as well to make sure nobody tried to insert any javascript or html. Also be sure to quote your values in the query (I.E. "INSERT INTO table (productId, something) VALUES ('$quote', '$these')"). Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 9, 2008 Share Posted August 9, 2008 best way to do is to requery your products table to verify the Id and then insert if match i.e <?php $id = $_GET['id']; $q = "select id from `products` where id = '".mysql_real_escape_string($id)."'"; $r = mysql_query($q) or die(mysql_error()."<br /><br />".$q); if(mysql_num_rows($r) >0){ #valid id insert } else{ #id wasn't found don't insert } ?> I use htmlentities as well to make sure nobody tried to insert any javascript or html. Also be sure to quote your values in the query (I.E. "INSERT INTO table (productId, something) VALUES ('$quote', '$these')"). You need to make sure anything going into or being checked aganist mysql is escaped properly also thus mysql_real_escape_string does this. Quote Link to comment Share on other sites More sharing options...
Fadion Posted August 10, 2008 Share Posted August 10, 2008 As stated also in the manual, a good way to write queries is using sprintf(), by also escaping input with mysql_real_escape_string(). <?php $id = $_GET['id']; $sql = sprintf("SELECT title FROM pages WHERE id=%s", mysql_real_escape_string($id)); ?> It will work exactly as suggested by cooldude832, its just (imo) a nice way of writting queries. Quote Link to comment Share on other sites More sharing options...
webref.eu Posted August 10, 2008 Author Share Posted August 10, 2008 Thanks everybody for your suggestions. cooldude832 querying the database is a great suggestion, thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.