dsaba Posted April 2, 2007 Share Posted April 2, 2007 Hey I am doing mysql queries based on WHERE fieldname='$_GET['variable']; I know this is a big security risk with sql injection etc... so i have implemented this code, I want to know if this is sufficient in protecting against any kind of xss or sql injection attack attempt <?php $lang = $_GET['lang']; $userid = $_GET['id']; //filter userid if userid is not numeric then die() $filteruserid = preg_match("/[A-Za-z<>;()!@#$%&*'?.,+=-_~]/", $userid); // ;()!@#$%&* if ($filteruserid > 0) { die("user not found"); } //if lang is not lowercase a-z then die $filterlang = preg_match("/[A-Z0-9<>;()!@#$%&*'?.,+=-_~]/", $lang); // ;()!@#$%&* if ($filterlang > 0) { die("language not found"); } ?> so is that good enough? or what else can I do?-thanks Link to comment https://forums.phpfreaks.com/topic/45228-php-security-for-get-command-using-on-queries-where/ Share on other sites More sharing options...
neel_basu Posted April 2, 2007 Share Posted April 2, 2007 If GPC Is on And Some ine do this http://ww.yourdomain.com/yourpage.php?filteruserid=0&filterlang=0 He May not harm you at all Cause preg_match is overwritting it.(assuming that You have cheaked wheather lang and id is submitted) But I would Suggest You To Paste this .htaccess file In that folder where the page is. php_flag register_globals Off Also Do this before sending the query. mysql_real_escape_string($id) [attachment deleted by admin] Link to comment https://forums.phpfreaks.com/topic/45228-php-security-for-get-command-using-on-queries-where/#findComment-219592 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.