Escaping potential errors when passing variables thru URL

[127.0.0.1]

Hello.

Suppose I am passing variables through a URL like this [b]http://www.mysite.com/index.php?article=48338[/b]. The article variable then in turn is used to make a SQL query. Obviously, any person can tamper with that parameter, changing the variable.

Currently I am escaping potential erroneous variables with the following

[code=php:0]
// Check if variable exists and is not empty
if (isset($_GET['article']) && !empty($_GET['article']))
{
    // Check to make sure the only characters passed are digits
    if (ereg('[^0-9]', $_GET['article']))
          $flag_error = True;
    else
          doWhateverFunction ($_GET['article']);
}
[/code]

My question is, am I doing sufficient checks? Is there a better way? Could I compact the code? I tried to merge both if-statements, however it failed to work for me.

[simcoweb]

Looks good to me. But i'm not sure if that's really guarding against anything. I'm assuming if they used something other than digits they'd get a 404 error. Or, a page id that doesn't exist would do the same. Might be wise to include some custom 404 page as another deterrent as well as protection against them looking for an open directory (no index.xxx page).

Someone else asked a similar question in how to make sure the $_GET was populated by an actual URL passing it. You might search a bit in this forum for that topic.

[Orio]

It's pretty good.
If you want to be sure, use mysql_real_escape_string() on every variable that is entered to the query. Dont forget to use stripslahses() if magic_quotes is set.
See more information in the manual, in mysql_real_escape_string().
(I am assuming you are using Mysql)

Orio.

[127.0.0.1]

Thanks guys.

Another question though,

I am using an [tt].htaccess[/tt] file to create friendly URLs.

[code]
ErrorDocument 404 /_errors/404.shtml

RewriteEngine on
RewriteRule ^article/(.*).html /index.php?article=$1

[/code]

I managed to "break" my page by putting [tt]%2F[/tt] at the end of the variable parameter: www.mysite.com/article/581%2F.html. Which I do not understand because if I access the equivalent erroneous URL with a slash rather than [tt]%2F[/tt] www.mysite.com/article/581/.html, I receive the proper error message from my script telling me the article could not be found.

This has a peculiar result because not only does it break the script, but it renders this message

[quote]
Not Found
The requested URL /article/581/.html was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. [/quote]

Which is odd because I have defined the 404 ErrorDocument and it works with other 404 errors.

Any advice as to how I can remedy these issues?