Jump to content

is_int((int)$_GET['id']) makes id = 1 no matter what link clicked

Recommended Posts

I'm trying to make it so somebody can't do an SQL injection on my script, by using is_int and setting the $_GET['id'] to an integer with (int). Now even when the URL contains product=4 it pulls from the database as product=1. If I use is_numeric all that has to be done is include a number in the SQL injection and then is_numeric will return true.


As per the PHP manual:

'42' is numeric

'1337' is numeric

'1e4' is numeric

'not numeric' is NOT numeric

'Array' is NOT numeric

'9.1' is numeric


$sql500="SELECT * FROM $tbl_name3 WHERE product_id='$product_id' AND review_show='y' ORDER BY review_date";
$total = $total + $review_product_rating;

<div class="review_container">
<div class="review_title">'.$review_title.'</div>
<div><img src="'.$review_product_rating.'.png" alt="'.$review_product_rating.' Stars" /></div>
<div><span class="bold">By '.$review_name.' from '.$review_location.' on '.$review_date.'</span></div>
<div><span class="bold">Describe Yourself:</span> '.$review_describe.'</div>
<div><span class="bold">Best Use:</span> '.$review_best_use.'</div>
<div><span class="bold">Pros:</span> '.$review_pros.'</div>
<div><span class="bold">Cons:</span> '.$review_cons.'</div>
<div><span class="bold">Comments</span></div><div>'.$review_text.'</div>
<hr />
$i=round($a, 1);
$i=explode(".", $i);
if($decimal < 5){
$i= $decimal > 3 ? $j + .5 : $j;
$i= $decimal < 8 ? $j - .5 : $j;

$sql50="SELECT * FROM $tbl_name WHERE product_id='$product_id'";

Link to comment
Share on other sites

If you're expecting a value that consists of all decimal digits and no spaces, validate it with ctype_digit, and cast it as an integer. Some people say casting it isn't necessary after validating it, but it certainly doesn't hurt anything either.


elseif( isset($_GET['product']) && ctype_digit($_GET['product']) ) {
     $product_id = (int) $_GET['product'];

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.