BrazilMac Posted August 16, 2008 Share Posted August 16, 2008 Hello, I have managed to work redirection on a php script for specific rules, but I dont know how I can redirect someone that inputs a bad querystring or empty one, either maliciously or by mistake. I have the following code : $auction_identifier = $_GET["picture"]; $con = mysql_connect(DB_HOST ,DB_USER, DB_PASS); mysql_select_db(DB_NAME, $con); $sql_sel_auct = "select * from auctions_table WHERE auction_ID = $auction_identifier"; $result_set_auct = mysql_query($sql_sel_auct) or die(mysql_error()); $row = mysql_fetch_array($result_set_auct); $auction_itemnumber = $row['auction_URL']; $auction_id = $row['auction_ID']; echo "<body onLoad=\"javascript:f.submit();\"> \n"; echo "<form name=\"f\" method=\"post\" action=\"index.php\"> \n"; echo "<input type=\"hidden\" name=\"r\" value=\"yes\">' \n"; echo "<input type=\"hidden\" name=\"hiddenid\" value=\"$auction_id\">\n"; echo "<input type=\"hidden\" name=\"hiddenitemnumber\" value=\"$auction_itemnumber\">\n"; echo "</form> \n"; echo "\n"; This works fine if the querystring is something like index.php?picture=somevalue . But if there is an empty string, or a bad querystring (like index.php?dsfsdfsd=sdfsdf ) MySQL will throw this error: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1" I guess it has to do with either the variable $auction_identifier being empty or the querystring being bad. How do I redirect on either one of those conditions???? Thanks again! Link to comment https://forums.phpfreaks.com/topic/119967-redirect-if-user-inputs-a-bad-querystring-how/ Share on other sites More sharing options...
Gighalen Posted August 16, 2008 Share Posted August 16, 2008 change $sql_sel_auct = "select * from auctions_table WHERE auction_ID = $auction_identifier"; to $sql_sel_auct = "select * from auctions_table WHERE auction_ID = '$auction_identifier'"; or do something like <?php if(is_numeric($_GET["picture"])){ code } else { error } ?> Link to comment https://forums.phpfreaks.com/topic/119967-redirect-if-user-inputs-a-bad-querystring-how/#findComment-617998 Share on other sites More sharing options...
Fadion Posted August 16, 2008 Share Posted August 16, 2008 Bad input should be avoided not only for appearance, but for security too. If u dont write the right code u could end up with your data destroyed, passwords taken away, etc. So: <?php $id = intval($_GET['id']); //clean input converting it to int $results = @mysql_query("SELECT picture FROM album WHERE id=$id"); if(mysql_num_rows($results) == 0){ header('Location: pagenotfound.php'); } //other code ?> if in place of 'id' (which is numeric) u would have a string get variable: <?php $title = mysql_real_escape_string($_GET['title']); $results = @mysql_query("SELECT picture FROM album WHERE title='$title'"); if(mysql_num_rows($results) == 0){ header('Location: pagenotfound.php'); } //other code ?> Link to comment https://forums.phpfreaks.com/topic/119967-redirect-if-user-inputs-a-bad-querystring-how/#findComment-618015 Share on other sites More sharing options...
BrazilMac Posted August 17, 2008 Author Share Posted August 17, 2008 Guys, thanks for the input, got it to work now!!!!! I love you guys! Link to comment https://forums.phpfreaks.com/topic/119967-redirect-if-user-inputs-a-bad-querystring-how/#findComment-618703 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.