rondog Posted August 28, 2008 Share Posted August 28, 2008 I am building a site and using $_GET to populate some pages. /index.php?do=video&id=1,12 If I were to type in the address bar: /index.php?do=video&id=1,' OR id = '12 It does practically the same thing! Now I know the example I provided wont really do any harm, but it opens the door to many more threats. How can I trim my id to only contain numbers since thats what really all will ever be in the id? Quote Link to comment Share on other sites More sharing options...
DarkWater Posted August 28, 2008 Share Posted August 28, 2008 $id = (int) $_GET['id']; Also, make sure to use mysql_real_escape_string anyway. Quote Link to comment Share on other sites More sharing options...
trq Posted August 28, 2008 Share Posted August 28, 2008 How can I trim my id to only contain numbers since thats what really all will ever be in the id? But your first example contains a comma? Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 28, 2008 Share Posted August 28, 2008 make an if statement with regex, if the $_GET["id"] has any commas, letters, or what not, display an error, and then and else statement getting the data from the database. ez pz lemon squeezy Quote Link to comment Share on other sites More sharing options...
rondog Posted August 28, 2008 Author Share Posted August 28, 2008 How can I trim my id to only contain numbers since thats what really all will ever be in the id? But your first example contains a comma? right yes..numbers and commas I guess hah..instead of doing something like id1=1&id2=12 I am using the commas and exploding them to an array. Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 28, 2008 Share Posted August 28, 2008 <?php $id = $_GET["id"]; if(preg_match("/^[0-9]+$/", $id) > 0){ // mysql queries and shit } else { echo "errors"; } ?> Quote Link to comment Share on other sites More sharing options...
DarkWater Posted August 28, 2008 Share Posted August 28, 2008 First of all, dezkit, you forgot delimeters, and second of all, you forgot commas. Edit: And you only allowed 1-9 and not 0. =P /[\d,]/ Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 28, 2008 Share Posted August 28, 2008 lol its like you love correcting my mistakes Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted August 28, 2008 Share Posted August 28, 2008 we all like correcting everyone's mistakes. that's the point, isn't it? Quote Link to comment Share on other sites More sharing options...
rondog Posted August 28, 2008 Author Share Posted August 28, 2008 <?php $id = $_GET["id"]; if(preg_match("/^[0-9]+$/", $id) > 0){ // mysql queries and shit } else { echo "errors"; } ?> cool man that seems to be working. Two questions, where in their is it allowing commas and what is the $ sign for? Quote Link to comment Share on other sites More sharing options...
DarkWater Posted August 28, 2008 Share Posted August 28, 2008 rondog, use: ^/[\d,]/$ As your regex. Not the one he gave. Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 28, 2008 Share Posted August 28, 2008 idk why but i get an error for what you give me dw Quote Link to comment Share on other sites More sharing options...
rondog Posted August 28, 2008 Author Share Posted August 28, 2008 ^/[\d,]/$ what does that even mean ? Quote Link to comment Share on other sites More sharing options...
kratsg Posted August 28, 2008 Share Posted August 28, 2008 ^/[\d,]/$ Oddly enough, I cringe at this :-P I'm not exactly sure why the ^ and $ are on the outsides, or even why they belong in this RegEx. Are you trying to match anything that starts with EITHER a comma or a digit? /^[\d,]/ Are you trying to see if there is anything that is not a comma OR digit? /[^\d,]*/ (the * meaning 0 or more times, so if there is at least one character that is not a comma or digit, it will match) Quote Link to comment Share on other sites More sharing options...
rondog Posted August 28, 2008 Author Share Posted August 28, 2008 basically my links can route to three different areas index.php?do=video&id=1 index.php?do=video&id=1,7 index.php?do=video&id=1,7,17 those numbers just being examples..I need to make sure that only numbers and commas are in the id string in the address bar. Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 28, 2008 Share Posted August 28, 2008 wait, so you DO want commas in the url??? Quote Link to comment Share on other sites More sharing options...
rondog Posted August 28, 2008 Author Share Posted August 28, 2008 yes I said that..after my first post heh Quote Link to comment Share on other sites More sharing options...
kratsg Posted August 28, 2008 Share Posted August 28, 2008 Use a preg_match function. it returns either 0/1 (respectively meaning the number of matches at minimum). If it cannot find a match, it returns 0, otherwise 1 (it stops after finding one match). $pattern = "/[^\d,]*/";//this will look for anything that is NOT a digit OR a comma if(!preg_match($pattern,$_GET["id"])){ die('OMFG! Someone just tried to hax0r j00!'); //you have at least one match } Just insert that die function, if something's wrong, it stops the script right then and there, otherwise, it's all ez squeezy lemon peasy o_o (to quote someone) Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 28, 2008 Share Posted August 28, 2008 then you might wanna use <?php $id = $_GET["id"]; if(!preg_match("/^[0-9\,]+$/", $id) > 0){ echo "ERROR"; } else { // mysql stuff } ?> Quote Link to comment Share on other sites More sharing options...
rondog Posted August 28, 2008 Author Share Posted August 28, 2008 I respect your guys work and time on helping me out, but what is the best one to use? dezkit's: "/^[0-9\,]+$/" or kratsg's: "/[^\d,]*/" They look similar, but I am having a hard time grasping what these mean..I am thinking the \d means digit so maybe its the same as 0-9? Quote Link to comment Share on other sites More sharing options...
kratsg Posted August 28, 2008 Share Posted August 28, 2008 \d is called a character class: http://evolt.org/RegEx_Basics?from=50&comments_per_page=50 \d matches a digit, same as [0-9] \D matches a non-digit, same as [^0-9] \s matches a whitespace character (space, tab, newline, etc.) \S matches a non-whitespace character \w matches a word character \W matches a non-word character \b matches a word-boundary (NOTE: within a class, matches a backspace) \B matches a non-wordboundary Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 28, 2008 Share Posted August 28, 2008 dezkit's Quote Link to comment Share on other sites More sharing options...
rondog Posted August 28, 2008 Author Share Posted August 28, 2008 \d is called a character class: http://evolt.org/RegEx_Basics?from=50&comments_per_page=50 \d matches a digit, same as [0-9] \D matches a non-digit, same as [^0-9] \s matches a whitespace character (space, tab, newline, etc.) \S matches a non-whitespace character \w matches a word character \W matches a non-word character \b matches a word-boundary (NOTE: within a class, matches a backspace) \B matches a non-wordboundary Ahh very helpful man. I think that link could help me out. I appreciate it guys thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.