On Sat, 2004-12-18 at 22:50, Sebastian wrote:
> just a question, what is the best way to sanitize your scripts when you're
> using $_GET or $_REQUEST in a query?
>
> eg, i usually just do:
>
> if(is_numeric($_REQUEST['id']))
> {
> mysql_query("SELECT id FROM table WHERE
> id=".intval($_REQUEST['id'])."");
> }
>
> what about when the GET is text? just use htmlspecialchars?
> just looking for some advice to help keep my apps secure.
For numeric values that I don't care about the value itself, only that
it's numeric:
$qString =
"SELECT * FROM table where id = ".(0 + $_GET['someVar'])." "
Binary operators are almost twice as fast as function calls.
As for text... addSlashes() for mysql database if I'm using the raw
mysql functions (which I don't do if I have a choice), otherwise I use
the database layer's quote function which takes into consideration the
database type.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
