On Sat, 2004-12-18 at 22:50, Sebastian wrote: > just a question, what is the best way to sanitize your scripts when you're > using $_GET or $_REQUEST in a query? > > eg, i usually just do: > > if(is_numeric($_REQUEST['id'])) > { > mysql_query("SELECT id FROM table WHERE > id=".intval($_REQUEST['id']).""); > } > > what about when the GET is text? just use htmlspecialchars? > just looking for some advice to help keep my apps secure.
For numeric values that I don't care about the value itself, only that it's numeric: $qString = "SELECT * FROM table where id = ".(0 + $_GET['someVar'])." " Binary operators are almost twice as fast as function calls. As for text... addSlashes() for mysql database if I'm using the raw mysql functions (which I don't do if I have a choice), otherwise I use the database layer's quote function which takes into consideration the database type. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php