TalkPHP - View Single Post

jordie · 09-13-2007, 10:08 AM

Another note (possibly for use in the safe_sql() function above, or at least in addition to), when using get/post data in a query. If you're expecting a number, e.g. a table primary index ID, then you should typecast it to make sure its a number. e.g.

myscript.php?action=save&id=34

PHP Code:


			
$id = (int)$_GET['id'];
mysql_query("update ... where id='".$id."'");

This will mean that if $_GET['id'] is anything other than a number, it will be set to 0, and as mysql starts row numbers from 1, nothing will get updated and you're safe from an injection too.

09-13-2007, 10:08 AM	#6 (permalink)
jordie The Wanderer Join Date: Sep 2007 Location: Sydney, Australia Posts: 19 Thanks: 0	Another note (possibly for use in the safe_sql() function above, or at least in addition to), when using get/post data in a query. If you're expecting a number, e.g. a table primary index ID, then you should typecast it to make sure its a number. e.g. myscript.php?action=save&id=34 PHP Code: `$id = (int)$_GET['id']; mysql_query("update ... where id='".$id."'");` This will mean that if $_GET['id'] is anything other than a number, it will be set to 0, and as mysql starts row numbers from 1, nothing will get updated and you're safe from an injection too.