Re: UPDATE and redirect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Marcelo Wolfgang wrote:
and what if $_GET['id'] is something like
"1; DROP TABLE tb_emails;"
??

SQL injection just waits to happen

I think tha tit will be too much of a hacker effort just to kill a table of contact emails, and also he will have to guess ( is there other way ? ) the table name, but just to be on a safer side:

- Is there a way to say that id can only be a number ?

something like $id:Number = $_GET['id']?

TIA

If your id should only have digits in it, use

if (! ctype_digit($_GET['id'])) {
   print "invalid parameter error message or exit or whatever";
}

This doesn't work with negative integers - it really checks to make sure that there are only digits, but it is very handy for validating GET or POST variables.

There are other ctype functions as well...

Lori

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux