I'm trying to keep my data safe and clean in my database, so anything that i'm using with $_GET to retrieve a URL I want to make sure an int value is passed. IE, say my URL was:
page.php?news_id=123
The page would process fine
But if it was page.php?news_id=dodgycode
It would send the user away to an errow page. However with my code below if
page.php?news_id=dodgycode
Is entered it does not send the user to the error page. It simply outputs the message Unknown column 'dodgycode' in 'where clause'?
Anyone help?
PHP Code:
<?php
//* If the Value is an INT then continue...
if(intval($_GET['news_id'] == $_GET['news_id']) || ($_GET['news_id'] != 0)) {
$SQL = "SELECT *from test where news_id= ".$_GET['news_id'];
$result = mysql_query($SQL) OR die(mysql_error());
This way you first test that there even is a news_id and that it is not 0, then if so, make sure you got an integer.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
The code should chuck the user out to my error page, but it's not. I'm getting an Unknown column 'dodgycode' message which the user should not get as at this point they should have been chucked straight to the else statement?
PHP Code:
<?php
//* If the Value is an INT then continue...
if(!empty($_GET['news_id']) && intval($_GET['news_id'] == $_GET['news_id'])) {
$SQL = "SELECT *from test where news_id= ".$_GET['news_id'];
$result = mysql_query($SQL) OR die(mysql_error());
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Reply With Quote
Bookmarks