clanstyles Posted July 9, 2007 Share Posted July 9, 2007 Well I do that because it gets rid of html, and trim the space up. and (int) makes it so it has to return as an integer. Not like HeyBuddy, Or somthing fun. You should do things like this when you get values and insert shit into a db so it doesn't insert like html and code other people can add. For fun I made a function to do it all. function cleanstr($str) { return trim(mysql_real_escape_string(strip_tags($str))); } Then if i know its in integer ill do like $com = (int) cleanstr($_GET['id']); Quote Link to comment Share on other sites More sharing options...
per1os Posted July 9, 2007 Share Posted July 9, 2007 $com = (int) trim(mysql_real_escape_string(strip_tags($_GET['del']))); A little overkill. <?php $com = isset($_GET['del'])?intval($_GET['del']):null; // convert the get data to int, this would prevent any foul data coming in if (!is_null($com)) { // do query here. } $id = isset($_GET['id'])?intval($_GET['id']):null; if (!is_null($id)) { // do select statement here } ?> The issue you are having with the id is that no matter what you are running that query, even if no GET data was added on. Add that into your code and you should be fine. Quote Link to comment Share on other sites More sharing options...
clanstyles Posted July 9, 2007 Share Posted July 9, 2007 $com = (int) trim(mysql_real_escape_string(strip_tags($_GET['del']))); A little overkill. How is that over kill? Edit: Okay mabye the mysql_real_escape_string is a little much... Hey whats the differen't between $id = intval($_GET['id']); and $id = (int) $_GET['id']; Quote Link to comment Share on other sites More sharing options...
per1os Posted July 9, 2007 Share Posted July 9, 2007 $com = (int) trim(mysql_real_escape_string(strip_tags($_GET['del']))); A little overkill. How is that over kill? Edit: Okay mabye the mysql_real_escape_string is a little much... Strip_tags is unnecessary because really we do not care if they are in there, once it is converted to an integer either way it does not matter. The trim is fine, but still unnecessary as stated above, once it is converted to an int it does not matter, all that text just magically disappears. The bigger question is, if he is expecting an INT he should check to see if the string www.php.net/is_numeric If it is not numeric obviously there is foul play and he should not even try to check it against the database. <?php if (isset($_GET['del']) && is_numeric($_GET['del'])) { $com = intval($_GET['del']); // for good measure }else { $com = null; } if (!is_null($com)) { // do query here. } $id = isset($_GET['id'])?intval($_GET['id']):null; if (!is_null($id)) { // do select statement here } ?> You are just using unnecessary processing time with trim, mysql_real and strip_tags. Quote Link to comment Share on other sites More sharing options...
clanstyles Posted July 9, 2007 Share Posted July 9, 2007 okay if it were a string I was inserting, would it be considered "over kill" then? Quote Link to comment Share on other sites More sharing options...
per1os Posted July 9, 2007 Share Posted July 9, 2007 okay if it were a string I was inserting, would it be considered "over kill" then? Nope as long as you didn't want any html in it. Depends on the field. I don't use strip_tags, I usually just convert the < and > to their html characters cause A lot of times I want to display code in my posts. It all depends on what is needed/required =) Quote Link to comment Share on other sites More sharing options...
L Posted July 9, 2007 Author Share Posted July 9, 2007 Sweet thanx for the help guys...it's working fine now! Thanx for all your time and effort, ~L Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.