safe codes

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

safe codes

Post by ibolui »

hi, is the following code safe? ie. can it be use directly for sql query or other purpose?

$start = intval($HTTP_GET_VARS['start']);

thanks!
User avatar
ok
Forum Contributor
Posts: 393
Joined: Wed May 31, 2006 9:20 am
Location: The Holy Land

Post by ok »

What you want to do with this??? Post your code!

And, use

Code: Select all

 for PHP and [code] for HTML!
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Re: safe codes

Post by aerodromoi »

ibolui wrote:hi, is the following code safe? ie. can it be use directly for sql query or other purpose?

$start = intval($HTTP_GET_VARS['start']);

thanks!
First of all, I'd recommend switching to $_GET['start'].

Secondly, I reckon that there are certain criteria "start" has - for example that it's not greater that 1000.
If you have reason to suspect that someone will try to input a string and start has to be an integer, why don't you
check $_GET['start'] against a regular expression, eg.

Code: Select all

if(!eregi( "^[0-9]{1,6}$", $_GET['start'])) die("invalid input!");
aerodromoi
User avatar
ok
Forum Contributor
Posts: 393
Joined: Wed May 31, 2006 9:20 am
Location: The Holy Land

Post by ok »

Or just use is_integer:

Code: Select all

if(is_integer($_GET['start'])&&($_GET['start']<$max)){...}
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

Re: safe codes

Post by ibolui »

hi, why is switching to $_GET recommended? they are the same arent they?
aerodromoi wrote:
ibolui wrote:hi, is the following code safe? ie. can it be use directly for sql query or other purpose?

$start = intval($HTTP_GET_VARS['start']);

thanks!
First of all, I'd recommend switching to $_GET['start'].

Secondly, I reckon that there are certain criteria "start" has - for example that it's not greater that 1000.
If you have reason to suspect that someone will try to input a string and start has to be an integer, why don't you
check $_GET['start'] against a regular expression, eg.

Code: Select all

if(!eregi( "^[0-9]{1,6}$", $_GET['start'])) die("invalid input!");
aerodromoi
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Re: safe codes

Post by aerodromoi »

ibolui wrote:hi, why is switching to $_GET recommended? they are the same arent they?
HTTP_*_VARS are deprecated and depending on the php version they can be disabled.

aerodromoi

For more information: http://de2.php.net/variables.predefined
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

Post by ibolui »

ohh ok. thanks! :)
Post Reply