Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
He told me to filter my input. Did he mean for me to run some kind of escape string check on my variables (in this case 'viewband')? Or is there some other way to filter out scripts in the URL?
Filtering you data is making sure it fits the known expected criteria of the data. If you are placing links around your site that are of the form ?id=5 then you know that you are expecting a number to be tied to the $_GET['id'] var. So, in your script, where you use this data, check to make sure it fits what you expect it to be. If someone gets screwey with your URL and enters ?id=where+1+AND+1+=+1 or whatever the exact string is, they could potentially hose your result set, database or worse, your server.
mysql_escape_string() and it's better sibling mysql_real_escape_string() only prepare the data to be sent to MySQL. They do not necessarily protect you from sending bad data to MySQL.
For the first one, first check for equality to 'num'. If that fails, check using ctype_lower() (although I think what you want to use is ctype_alpha, since ctype_lower will exclude capital letters in the string). No regexps needed.
For the next one, create a lookup table of the strings:
Everah wrote:If you are placing links around your site that are of the form ?id=5 then you know that you are expecting a number to be tied to the $_GET['id'] var.
Is there anything wrong with just doing a simple isnumeric($_GET['id']) check? I mean, would that be enough?