09-13-2007, 02:10 PM
|
#7 (permalink)
|
|
Wizard
Join Date: Sep 2007
Posts: 1,216
Thanks: 17
|
Quote:
Originally Posted by jordie
Another note (possibly for use in the safe_sql() function above, or at least in addition to), when using get/post data in a query. If you're expecting a number, e.g. a table primary index ID, then you should typecast it to make sure its a number. e.g.
myscript.php?action=save&id=34
PHP Code:
$id = (int)$_GET['id'];
mysql_query("update ... where id='".$id."'");
This will mean that if $_GET['id'] is anything other than a number, it will be set to 0, and as mysql starts row numbers from 1, nothing will get updated and you're safe from an injection too. |
It just wouldn't return anything, no injection would result. If you want to see if its a number, there is the is_numeric() function |
|
|
|