I have a script that accepts a GET variable, and that variable is used to query a database. How can I make it so it will only accept numbers/integers to prevent from an sql injection?
Obviousally
IF(it is a number)
//execute query
ELSE
die()
but how to I make sure it is an integer?
Checking to see if a variable is an integer
Moderator: General Moderators
-
SidewinderX
- Forum Contributor
- Posts: 407
- Joined: Fri Jul 16, 2004 9:04 pm
- Location: NY
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Then, typecasting would be okay instead?Weirdan wrote:It isn't int, it's a numeric string (see the OP's remark about it being from $_GET)superdezign wrote:is_int()
All get and post variables are initially strings.
I have seen ctype_digit() return false on the number 8 posted from a form. I have no clue why.
For reliability, I use preg_match.
This will ensure it is a number from 1 to 12 digits long OR a number from 1to 12 digits long followed be a decimal point followed by a number from 1 to 12 digits long.
I have seen ctype_digit() return false on the number 8 posted from a form. I have no clue why.
For reliability, I use preg_match.
Code: Select all
$is_num = preg_match('#^[\d]{1,12}|[\d]{1,12}\.[\d]{1,12}$#', $foo) ? true : false;