hi, is the following code safe? ie. can it be use directly for sql query or other purpose?
$start = intval($HTTP_GET_VARS['start']);
thanks!
safe codes
Moderator: General Moderators
What you want to do with this??? Post your code!
And, use
And, use
Code: Select all
for PHP and [code] for HTML!- aerodromoi
- Forum Contributor
- Posts: 230
- Joined: Sun May 07, 2006 5:21 am
Re: safe codes
First of all, I'd recommend switching to $_GET['start'].ibolui wrote:hi, is the following code safe? ie. can it be use directly for sql query or other purpose?
$start = intval($HTTP_GET_VARS['start']);
thanks!
Secondly, I reckon that there are certain criteria "start" has - for example that it's not greater that 1000.
If you have reason to suspect that someone will try to input a string and start has to be an integer, why don't you
check $_GET['start'] against a regular expression, eg.
Code: Select all
if(!eregi( "^[0-9]{1,6}$", $_GET['start'])) die("invalid input!");Or just use is_integer:
Code: Select all
if(is_integer($_GET['start'])&&($_GET['start']<$max)){...}Re: safe codes
hi, why is switching to $_GET recommended? they are the same arent they?
aerodromoi wrote:First of all, I'd recommend switching to $_GET['start'].ibolui wrote:hi, is the following code safe? ie. can it be use directly for sql query or other purpose?
$start = intval($HTTP_GET_VARS['start']);
thanks!
Secondly, I reckon that there are certain criteria "start" has - for example that it's not greater that 1000.
If you have reason to suspect that someone will try to input a string and start has to be an integer, why don't you
check $_GET['start'] against a regular expression, eg.aerodromoiCode: Select all
if(!eregi( "^[0-9]{1,6}$", $_GET['start'])) die("invalid input!");
- aerodromoi
- Forum Contributor
- Posts: 230
- Joined: Sun May 07, 2006 5:21 am
Re: safe codes
HTTP_*_VARS are deprecated and depending on the php version they can be disabled.ibolui wrote:hi, why is switching to $_GET recommended? they are the same arent they?
aerodromoi
For more information: http://de2.php.net/variables.predefined