Code: Select all
<?php
function cleanall()
{
foreach($_GET as $key => $val)
{
$_GET[$key] = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
$$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
}
}
echo "<div class=\"box_title_blue\">Following bbb has been found for this query</div>" ;
$cb = ( isset($_GET['cb']) ) ? $_GET['cb'] : 0; // type it is strictly numeric ..from database
$cb=(int) $cb;
// Default to 0 (all) if not set
$exp = ( isset($_GET['exp']) ) ? trim($_GET['exp']) : 0; //experience it is also strictly numeric
$exp=(int) $exp;
// Default to 0 if not set
if ( !ctype_alnum($_GET ['jobt']))//it can be either 'a' for all or some number so i am trying to make this better but how can i do that
{
echo "only A-Z a-z 0-9 are Allowed";
exit();
}
else
{
// Default to 0 if not set
$jobt = ( isset($_GET['jobt']) ) ? $_GET['jobt'] : 0; //
}
// Default to 0 if not set
if ( !ctype_alnum($_GET ['edu']))//'a' or some number
{
echo "only A-Z a-z 0-9 are Allowed";
exit();
}
else
{
// Default to 0 if not set
$edu = ( isset($_GET['edu']) ) ? $_GET['edu'] : 0; //qualification
}
$city = ( isset($_GET['city']) ) ? $_GET['city'] : 0; //city//will be alnumeric
$sal1 = ( isset($_GET['sal1']) ) ? $_GET['sal1'] : 0; // strictly number
$sal1=(int)$sal1;
$sal2 = ( isset($_GET['sal2']) ) ? $_GET['sal2'] : 9999999; //numeric
$sal2=(int)$sal2;
cleanall();
$trimmed = trim($var); //trim whitespace from the stored variable
require_once ('../../dbconnect.php');
$query = "SELECT * FROM table where category=$cb and salary>$sal1 and salary<$sal2 and
experi>=$exp";i am still updating it...but any security loop holes ?
can it be made better?
by the way well it take care of datatype and ' " and all but i can concerned about if some body pass command through get like
SHUTDOWN and all
how can i intregrate protection from that part in this code
i notice when i use GET and all values are seen in address bar it is much provoking user to change data and see the result so is it
good to use POST here
What can be disadvantages of doing so?