best way to incorporate $_GET in a query?

[immanuelx2]

Whats the safest/most useful way to incorporate a $_GET statment into a mysql_query?

 

so far i've been using:

mysql_query = ("SELECT * FROM table WHERE id = '$_GET[id]'");

 

is there a better way of it?

[Caesar]

<?php

  $myvar = $_GET['input'];
  $cleanvar = $clean->cleanit(mysql_escape_string($myvar));

  $query = $db->query("SELECT FROM $table WHERE id = '$cleanvar'");

?>

 

Don't leave yourself open to SQL injections. Write a method to clean/scrub everything input by a user, that will be used in a query.

 

[immanuelx2]

interesting, what does cleanit() actually do? and how come u used $db->query()?

 

thanks for the help

[Caesar]

cleanit() is a function/method you will have to write :-P

 

and how come u used $db->query()?

 

Using OOP (Object Oriented Programming) can really cut your scripts length and make it so much easier and efficient to do stuff. It is a diferent technique...click the link to get a better idea.

 

[per1os]

<?php
function real_escape($string) {
       return  get_magic_quotes_gpc()?mysql_real_escape_string(stripslashes ($string)):mysql_real_escape_string($string);
}
?>

 

Try using that. Example usage:

 

<?php
$id = isset($_GET['id'])?real_escape($_GET['id']):'';
mysql_query = ("SELECT * FROM table WHERE id = '$id'");

function real_escape($string) {
       return  get_magic_quotes_gpc()?mysql_real_escape_string(stripslashes ($string)):mysql_real_escape_string($string);
}
?>

 

The code above makes sure that the data is only escaped once, note a MySQL connection is required.

 

And to ceaser

$cleanvar = $clean->cleanit(mysql_escape_string($myvar));

 

The cleanit(mysql_escape_string  seems kind of redundant doesn't it? Shouldn't the escape be done inside the cleanit function to save the time to write out that function ??? That and I think it is mysql_real_escape_string

[Caesar]

 

And to ceaser

$cleanvar = $clean->cleanit(mysql_escape_string($myvar));

 

The cleanit(mysql_escape_string  seems kind of redundant doesn't it? Shouldn't the escape be done inside the cleanit function to save the time to write out that function ??? That and I think it is mysql_real_escape_string

 

You're right...it would be better used in the cleanit() function...but I thought it better to illustrate to our friend here. :-)

[per1os]

side note, just noticed an error:

 

<?php
$id = isset($_GET['id'])?real_escape($_GET['id']):'';
mysql_query("SELECT * FROM table WHERE id = '$id'"); // do not use the = for functions..

function real_escape($string) {
       return  get_magic_quotes_gpc()?mysql_real_escape_string(stripslashes ($string)):mysql_real_escape_string($string);
}
?>

[Nhoj]

A good function I've always used for cleaning integers is the following, it's probably as secure as you can possibly get when it comes to cleaning an int. Allows for both negative or positive numbers, even decimals.

 

<?php
function clean_int($int, $dec, $length, $pos) {
    if ($pos == 1) {
        $value = round(abs(mb_strcut($int, 0, $length)), $dec);
    } else {
        $value = round(mb_strcut($int, 0, $length), $dec);
    }
    return $value;
}
?>

 

$int - the integer itself

$dec - the number of possible decimal places, if you dont want decimals use 0

$length - the maximum number of numbers the integer can have, everything else will be truncated. If you want the max to be 9999, enter 4, if you want the max number to be 9999.99 enter 7.

$pos - whether or not the integer will always be positive, if it will always be positive use a 1, if not use a 0

 

Then to actually use the function you would do something like...

<?php
mysql_query('SELECT * FROM table WHERE id = '.clean_int($id, 0, 10, 1));
?>

 

Edit: If an integer is not entered at all it'l return a 0, there probably wont be a 0 id in your table so you can just have the script echo something if no results are returned. Also, entering ANY non number, decimal or negative sign will cause it to return a 0. Entering multiple negative signs or decimals will also return a 0.