Page 1 of 1

safe codes

Posted: Sun Jun 04, 2006 4:02 am
by ibolui
hi, is the following code safe? ie. can it be use directly for sql query or other purpose?

$start = intval($HTTP_GET_VARS['start']);

thanks!

Posted: Sun Jun 04, 2006 5:03 am
by ok
What you want to do with this??? Post your code!

And, use

Code: Select all

 for PHP and [code] for HTML!

Re: safe codes

Posted: Sun Jun 04, 2006 5:11 am
by aerodromoi
ibolui wrote:hi, is the following code safe? ie. can it be use directly for sql query or other purpose?

$start = intval($HTTP_GET_VARS['start']);

thanks!
First of all, I'd recommend switching to $_GET['start'].

Secondly, I reckon that there are certain criteria "start" has - for example that it's not greater that 1000.
If you have reason to suspect that someone will try to input a string and start has to be an integer, why don't you
check $_GET['start'] against a regular expression, eg.

Code: Select all

if(!eregi( "^[0-9]{1,6}$", $_GET['start'])) die("invalid input!");
aerodromoi

Posted: Sun Jun 04, 2006 5:15 am
by ok
Or just use is_integer:

Code: Select all

if(is_integer($_GET['start'])&&($_GET['start']<$max)){...}

Re: safe codes

Posted: Sun Jun 04, 2006 8:36 am
by ibolui
hi, why is switching to $_GET recommended? they are the same arent they?
aerodromoi wrote:
ibolui wrote:hi, is the following code safe? ie. can it be use directly for sql query or other purpose?

$start = intval($HTTP_GET_VARS['start']);

thanks!
First of all, I'd recommend switching to $_GET['start'].

Secondly, I reckon that there are certain criteria "start" has - for example that it's not greater that 1000.
If you have reason to suspect that someone will try to input a string and start has to be an integer, why don't you
check $_GET['start'] against a regular expression, eg.

Code: Select all

if(!eregi( "^[0-9]{1,6}$", $_GET['start'])) die("invalid input!");
aerodromoi

Re: safe codes

Posted: Sun Jun 04, 2006 8:42 am
by aerodromoi
ibolui wrote:hi, why is switching to $_GET recommended? they are the same arent they?
HTTP_*_VARS are deprecated and depending on the php version they can be disabled.

aerodromoi

For more information: http://de2.php.net/variables.predefined

Posted: Sun Jun 04, 2006 8:43 am
by ibolui
ohh ok. thanks! :)