In PHP if some variables are taken from query string and used inside one mysql query then the variables are to be sanitized ( checked ) first before using.
When we don't expect any thing other than a numeric value then why not to check the variable by using is_numeric PHP function and terminate the program if data is not a number. Here is a sample code for this.$cat_id=$_GET['pc_id'];
if(!is_numeric($pc_id)){
echo "Data Error";
exit;
}$start=$_GET['start'];
if(strlen($start) > 0 and !is_numeric($start)){
echo "Data Error";
exit;
}
If we expect only alphanumeric characters then we can use ctype_alnumfunction.if(!ctype_alnum($var)){
echo "Data Error";
exit;
}
Tuesday, June 29, 2010
enchance SQL security
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment