Page 1 of 1
safe codes
Posted: Sun Jun 04, 2006 4:02 am
by ibolui
hi, is the following code safe? ie. can it be use directly for sql query or other purpose?
$start = intval($HTTP_GET_VARS['start']);
thanks!
Posted: Sun Jun 04, 2006 5:03 am
by ok
What you want to do with this??? Post your code!
And, use
Re: safe codes
Posted: Sun Jun 04, 2006 5:11 am
by aerodromoi
ibolui wrote:hi, is the following code safe? ie. can it be use directly for sql query or other purpose?
$start = intval($HTTP_GET_VARS['start']);
thanks!
First of all, I'd recommend switching to $_GET['start'].
Secondly, I reckon that there are certain criteria "start" has - for example that it's not greater that 1000.
If you have reason to suspect that someone will try to input a string and start has to be an integer, why don't you
check $_GET['start'] against a regular expression, eg.
Code: Select all
if(!eregi( "^[0-9]{1,6}$", $_GET['start'])) die("invalid input!");
aerodromoi
Posted: Sun Jun 04, 2006 5:15 am
by ok
Or just use is_integer:
Code: Select all
if(is_integer($_GET['start'])&&($_GET['start']<$max)){...}
Re: safe codes
Posted: Sun Jun 04, 2006 8:36 am
by ibolui
hi, why is switching to $_GET recommended? they are the same arent they?
aerodromoi wrote:ibolui wrote:hi, is the following code safe? ie. can it be use directly for sql query or other purpose?
$start = intval($HTTP_GET_VARS['start']);
thanks!
First of all, I'd recommend switching to $_GET['start'].
Secondly, I reckon that there are certain criteria "start" has - for example that it's not greater that 1000.
If you have reason to suspect that someone will try to input a string and start has to be an integer, why don't you
check $_GET['start'] against a regular expression, eg.
Code: Select all
if(!eregi( "^[0-9]{1,6}$", $_GET['start'])) die("invalid input!");
aerodromoi
Re: safe codes
Posted: Sun Jun 04, 2006 8:42 am
by aerodromoi
ibolui wrote:hi, why is switching to $_GET recommended? they are the same arent they?
HTTP_*_VARS are deprecated and depending on the php version they can be disabled.
aerodromoi
For more information:
http://de2.php.net/variables.predefined
Posted: Sun Jun 04, 2006 8:43 am
by ibolui
ohh ok. thanks!
