[SOLVED] Clean a Get Querystring

[webref.eu]

If I'm doing this:

 

$ProductId = $_GET['ProductId'];

 

which will populate a hidden field in my "Add a Review" form, and then get inserted into the Reviews table of my database in the ProductId field, what do I need to do to make sure I have cleaned the querystring? 

 

I will be using mysql_real_escape_string when inserting into the database, so do I have to do anything more than this??

 

Thanks all.

[rawb]

I use htmlentities as well to make sure nobody tried to insert any javascript or html.  Also be sure to quote your values in the query (I.E. "INSERT INTO table (productId, something) VALUES ('$quote', '$these')").

[cooldude832]

best way to do is to requery your products table to verify the Id and then insert if match

 

i.e

<?php
$id  = $_GET['id'];
$q = "select id from `products` where id = '".mysql_real_escape_string($id)."'";
$r = mysql_query($q) or die(mysql_error()."<br /><br />".$q);
if(mysql_num_rows($r) >0){
#valid id insert
}
else{
#id wasn't found don't insert
}
?>

 

I use htmlentities as well to make sure nobody tried to insert any javascript or html.  Also be sure to quote your values in the query (I.E. "INSERT INTO table (productId, something) VALUES ('$quote', '$these')").

 

You need to make sure anything going into or being checked aganist mysql is escaped properly also thus mysql_real_escape_string does this.

 

[Fadion]

As stated also in the manual, a good way to write queries is using sprintf(), by also escaping input with mysql_real_escape_string().

 

<?php
$id = $_GET['id'];
$sql = sprintf("SELECT title FROM pages WHERE id=%s", mysql_real_escape_string($id));
?>

 

It will work exactly as suggested by cooldude832, its just (imo) a nice way of writting queries.

[webref.eu]

Thanks everybody for your suggestions.  cooldude832 querying the database is a great suggestion, thanks.