[SOLVED] sanitize string values passed in URLs

[robb73]

I've always used integers when passing values in URLs and then using them with $_GET.

To check the id is OK I've been using:

 

 

                if (isset($_GET['id'])) {

$new_id = (int) $_GET['id'];

        } else {

$new_id = 0;

        }

 

if ($new_id > 0) { // do something

 

                } else {

 

                echo '<p>this page has been accessed in error.</p>';

 

                }

 

However, I'd like to pass strings instead of integers so the URL is a bit more meaningful.

How would I go about checking its OK in the receiving script?

 

[Vizor]

Do you mean as in filter for bad chars etc? Try urlencode().

[robb73]

 

I'm worried about someone substituting their own value into the url.

 

I usually end up using the value in an SQL query, so I want to make sure its clean before I run the mysqli_query().

 

 

[robb73]

 

I'm worried about someone substituting their own value into the url.

 

I usually end up using the value in an SQL query, so I want to make sure its clean before I run the mysqli_query().

 

 

 

Maybe I've got this the wrong way round, should I just use mysqli_real_escape_string on the string value passed to $_GET and then used in a mysqli_query() ?

 

 

[robb73]

Found the answer in a book, I'm just going to test against a regular expression. Posted the solution in case anyone was interested.

 

 

if (eregi('^[[:alpha:]]+$', stripslashes(trim($_GET['string'])))) {

 

    run mysqli_query()

 

} else {

 

    send error

 

}