Jump to content

[SOLVED] Does this data need to be made safe for a database

keeps21

By keeps21
in PHP Coding Help

 Share

Recommended Posts

keeps21 Member

keeps21

Posted
Posted

I have the following code which takes the ID from the URL and runs a query to select names froma a database with that ID.

 

<?php
// example url = http://localhost/index.php?id=1

if (isset($_GET['id']) && is_numeric($_GET['id'])) { // id is set and is a number
$id = $_GET_id; // Should I bother doing $id = mysql_real_escape_string($_GET_id); 

$query = "SELECT name FROM database WHERE id={$id}";
$result = mysql_query($query);

while ($row = mysql_fetch_assoc($result)) {
	echo $row['name'].'<br />';
}
}
?>

 

What I need to know is that is there any point in running mysql_real_escape_string on the ID before using it in the database in this case as if ID is not a number the query won't be run anyway?

 

 

allworknoplay Newbie

allworknoplay

Posted
Posted

I have the following code which takes the ID from the URL and runs a query to select names froma a database with that ID.

 

<?php
// example url = http://localhost/index.php?id=1

if (isset($_GET['id']) && is_numeric($_GET['id'])) { // id is set and is a number
$id = $_GET_id; // Should I bother doing $id = mysql_real_escape_string($_GET_id); 

$query = "SELECT name FROM database WHERE id={$id}";
$result = mysql_query($query);

while ($row = mysql_fetch_assoc($result)) {
	echo $row['name'].'<br />';
}
}
?>

 

What I need to know is that is there any point in running mysql_real_escape_string on the ID before using it in the database in this case as if ID is not a number the query won't be run anyway?

 

 

 

I think it would be good practice to do it, but that's just me. NEVER TRUST user input.

 

Just because it's not a form, it's still user input from a conceptual sense.....

 

I would like to hear other point of views on this...

 

keeps21 Member

keeps21

Posted
  • Author
Posted

This is wrong:

$id = $_GET_id;

 

should be

$id = $_GET['id'];

 

Using is_numeric is good enough, although I would additionally cast the value to (int)

 

Oops just typed it out to post on here, hadn't tested it, yeah I was thinking about casting to (int), or could I use is_int instead of is_numeric?

allworknoplay Newbie

allworknoplay

Posted
Posted

Values in $_GET are strings by default, so for index.php?ID=1

is_int($_GET['ID']); //FALSE
is_int((int)$_GET['ID']); //TRUE

 

Hey, so doing this:

 

is_int((int)$_GET['ID']); //TRUE

 

Basically sets the value of $_GET['ID'] to an integer right?

 

Could I also do this?

 

$string = '1';

 

$number = (int) $string;

 

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.