How to Secure IDs For a MySQL Query

Any tutorials (or useful resources) should go in here.
Post Reply
Muhanned
Posts: 7
Joined: Mon May 16, 2011 6:16 pm

How to Secure IDs For a MySQL Query

Post by Muhanned »

hi.
how are you there this is my first tutorail in this website.
les get start;
we know the id is primerkey we use in database table to count or to make in order
imagen that you want to make a blog
and the url is will be like this
localhost/blog/index.php?topicid=number  like 1  in example 
for example
localhost/blog/index.php?topicid=3 
So it will bring data form the row 3 in database table
the file will be like this

that we make normal
<?php

/**
*   @Author: Muhanned  Mohammed
*   @contry: Oman
*   @email: kaka9909@hotmail.com
*
*/
// contact to databse
mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("dbname") or die(mysql_error());
//make query
$page=$_GET['topicid'];  // ?topicid=

$query=mysql_query("SELECT * FROM table_name WHERE id='$page'") or die("error");
}

?>

but for securty we wil user array
<?php

/**
*   @Author: Muhanned  Mohammed
*   @contry: Oman
*   @email: kaka9909@hotmail.com
*
*/
// contact to databse
mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("dbname") or die(mysql_error());
//make query
// sec  we will use array
$page=$_GET['topicid']; // topicid=
if(is_int($page)){
$array=array("-","+");
$page=str_replace($array,"",$page); // this will delete the - ,+ in the url : localhost/blog/index.php?topicid=2
}
$query=mysql_query("SELECT * FROM table_name WHERE id='$page'") or die("error");

?>
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: how to securty primerkey

Post by jacek »

thanks for contributing this,

Slight problem though

if
if(is_int($page)){
is true, it means that there cant be a + or - in the variable, doesn’t it :?

either way, another effective method would be to do
$id = (int)$_GET['id'];
Image
Carbine
Posts: 58
Joined: Fri May 06, 2011 1:47 pm
Location: UK, Nottinghamshire
Contact:

Re: How to Secure IDs For a MySQL Query

Post by Carbine »

I agree with him, using (int) is a lot simplier yet just as effective, although your method is just as good. I use (int) in most cases as it's easy, simple, and effective (repeating myself ftw!). int is the best, the web host I use has a older version of PHP and doesn't support php_round_half_down, but then I realised I could use int. I think in most cases int is secure enough.
(Sorry for going off topic, I've just had too much energy drink and it does this to me :S)
Muhanned
Posts: 7
Joined: Mon May 16, 2011 6:16 pm

Re: how to securty primerkey

Post by Muhanned »

jacek wrote:thanks for contributing this,

Slight problem though

if
if(is_int($page)){
is true, it means that there cant be a + or - in the variable, doesn’t it :?

either way, another effective method would be to do
$id = (int)$_GET['id'];
thanks for your post
and it's nice way :)
Muhanned
Posts: 7
Joined: Mon May 16, 2011 6:16 pm

Re: How to Secure IDs For a MySQL Query

Post by Muhanned »

Carbine wrote:I agree with him, using (int) is a lot simplier yet just as effective, although your method is just as good. I use (int) in most cases as it's easy, simple, and effective (repeating myself ftw!). int is the best, the web host I use has a older version of PHP and doesn't support php_round_half_down, but then I realised I could use int. I think in most cases int is secure enough.
(Sorry for going off topic, I've just had too much energy drink and it does this to me :S)
easy becouse i like advice
that will increase my abalities
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: How to Secure IDs For a MySQL Query

Post by jacek »

Thinking about it -8 is an int, so maybe you do need to do the str_replace.

Although, all that would happen with -8 is that mysql would return 0 rows, just the same as if the Id was invalid.
Image
Dominion
Posts: 32
Joined: Thu May 05, 2011 11:32 pm

Re: How to Secure IDs For a MySQL Query

Post by Dominion »

Php does have the abs() function for making sure a number is positive.
Post Reply