hi.
how are you there this is my first tutorail in this website.
les get start;
we know the id is primerkey we use in database table to count or to make in order
imagen that you want to make a blog
and the url is will be like this
[syntax=php]
localhost/blog/index.php?topicid=number like 1 in example
[/syntax]
for example
[syntax=php]
localhost/blog/index.php?topicid=3
[/syntax]
So it will bring data form the row 3 in database table
the file will be like this
that we make normal
[syntax=php]
<?php
/**
* @Author: Muhanned Mohammed
* @contry: Oman
* @email: kaka9909@hotmail.com
*
*/
// contact to databse
mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("dbname") or die(mysql_error());
//make query
$page=$_GET['topicid']; // ?topicid=
$query=mysql_query("SELECT * FROM table_name WHERE id='$page'") or die("error");
}
?>
[/syntax]
but for securty we wil user array
[syntax=php]
<?php
/**
* @Author: Muhanned Mohammed
* @contry: Oman
* @email: kaka9909@hotmail.com
*
*/
// contact to databse
mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("dbname") or die(mysql_error());
//make query
// sec we will use array
$page=$_GET['topicid']; // topicid=
if(is_int($page)){
$array=array("-","+");
$page=str_replace($array,"",$page); // this will delete the - ,+ in the url : localhost/blog/index.php?topicid=2
}
$query=mysql_query("SELECT * FROM table_name WHERE id='$page'") or die("error");
?>
[/syntax]
How to Secure IDs For a MySQL Query
Re: how to securty primerkey
thanks for contributing this,
Slight problem though
if
[syntax=php]if(is_int($page)){[/syntax]
is true, it means that there cant be a + or - in the variable, doesn’t it
either way, another effective method would be to do
[syntax=php]$id = (int)$_GET['id'];[/syntax]
Slight problem though
if
[syntax=php]if(is_int($page)){[/syntax]
is true, it means that there cant be a + or - in the variable, doesn’t it
either way, another effective method would be to do
[syntax=php]$id = (int)$_GET['id'];[/syntax]
Re: How to Secure IDs For a MySQL Query
I agree with him, using (int) is a lot simplier yet just as effective, although your method is just as good. I use (int) in most cases as it's easy, simple, and effective (repeating myself ftw!). int is the best, the web host I use has a older version of PHP and doesn't support php_round_half_down, but then I realised I could use int. I think in most cases int is secure enough.
(Sorry for going off topic, I've just had too much energy drink and it does this to me :S)
(Sorry for going off topic, I've just had too much energy drink and it does this to me :S)
Re: how to securty primerkey
jacek wrote:thanks for contributing this,
Slight problem though
if
[syntax=php]if(is_int($page)){[/syntax]
is true, it means that there cant be a + or - in the variable, doesn’t it
either way, another effective method would be to do
[syntax=php]$id = (int)$_GET['id'];[/syntax]
thanks for your post
and it's nice way
Re: How to Secure IDs For a MySQL Query
Carbine wrote:I agree with him, using (int) is a lot simplier yet just as effective, although your method is just as good. I use (int) in most cases as it's easy, simple, and effective (repeating myself ftw!). int is the best, the web host I use has a older version of PHP and doesn't support php_round_half_down, but then I realised I could use int. I think in most cases int is secure enough.
(Sorry for going off topic, I've just had too much energy drink and it does this to me :S)
easy becouse i like advice
that will increase my abalities
Re: How to Secure IDs For a MySQL Query
Thinking about it -8 is an int, so maybe you do need to do the str_replace.
Although, all that would happen with -8 is that mysql would return 0 rows, just the same as if the Id was invalid.
Although, all that would happen with -8 is that mysql would return 0 rows, just the same as if the Id was invalid.
Re: How to Secure IDs For a MySQL Query
Php does have the abs() function for making sure a number is positive.