Matthew Weier O'Phinney wrote:
> * Sebastian <sebastian@xxxxxxxxxxxxxxxxxxx>:
>> just a question, what is the best way to sanitize your scripts when
>> you're
>> using $_GET or $_REQUEST in a query?
>>
>> eg, i usually just do:
>>
>> if(is_numeric($_REQUEST['id']))
>> {
>> mysql_query("SELECT id FROM table WHERE
>> id=".intval($_REQUEST['id'])."");
>> }
>>
>> what about when the GET is text? just use htmlspecialchars?
>> just looking for some advice to help keep my apps secure.
>
> The proper method for doing this is to 'whitelist' -- in other words,
> assume data is tainted, and only allow it if it passes certain criteria.
> For text, you'll typically want to define what is allowed, create a
> regular expression, and pass the value through that expression (this is
> often called 'filtering').
>
> By the way, if you're needing an integer ID in the test above, testing
> for is_numeric() will not be enough -- it returns floats as well as
> integers. Try:
>
> if ($_REQUEST['id'] == strval(intval($_REQUEST['id'])))
For an id, you may also want to do:
$id = (int) $_REQUEST['id'];
if ($id > 0){
}
While I can't think how a value of "-5" is going to mess you up in any big
way, you might as well eliminate it, since it's not valid.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
