Marcelo Wolfgang wrote:
and what if $_GET['id'] is something like
"1; DROP TABLE tb_emails;"
??
SQL injection just waits to happen
I think tha tit will be too much of a hacker effort just to kill a
table of contact emails, and also he will have to guess ( is there
other way ? ) the table name, but just to be on a safer side:
- Is there a way to say that id can only be a number ?
something like $id:Number = $_GET['id']?
TIA
If your id should only have digits in it, use
if (! ctype_digit($_GET['id'])) {
print "invalid parameter error message or exit or whatever";
}
This doesn't work with negative integers - it really checks to make sure
that there are only digits, but it is very handy for validating GET or
POST variables.
There are other ctype functions as well...
Lori
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
