sanitize $_GET and set to variable

**oknow** · May 12, 2011 19:25

I am trying to sanitize $_GET['user'], check if the user exists in the database, and then set it to a variable ($g_user) for use in the rest of the page.

I came up with this and am wondering if it is ok?

Code php:

if (isset($_GET['user'])) {
	$user = filter_input(INPUT_GET, 'user', FILTER_SANITIZE_STRING);
	$find_user = mysqli_query($link, sprintf("SELECT username FROM users WHERE username = '%s'",
		mysqli_real_escape_string($link, $user)
	));
		$result = mysqli_num_rows($find_user);
			if ($result != 1) {
				$error = 'User not found.';
				include 'error.php';
				exit();
			}
			else {
			$g_user = $user;
		}
}

or even this?

Code php:

$user = filter_input(INPUT_GET, 'user', FILTER_SANITIZE_STRING);
if (empty($user)) {
	header('Location: /');
	exit();
}
else {
$find_user = mysqli_query($link, sprintf("SELECT username FROM users WHERE username = '%s'",
		mysqli_real_escape_string($link, $user)
	));
		$result = mysqli_num_rows($find_user);
			if ($result != 1) {
                $error = 'User not found.';
                include 'error.php';
                exit();
			}
			else {
			$g_user = $user;
		}
}

edit: the reason I ask is because I only just recently learned about filtering and sprintf, so I want to make sure I am doing this the right way.

**Zurev** · May 12, 2011 20:03

At quick glance the second one looks fine, you pretty much want to perform the same sanitizing you do when a username is initially registered, then check for the row count, which you've clearly done.

However, why the need for sprintf?

**paul_wilkins** · May 13, 2011 00:01

Originally Posted by Zurev

At quick glance the second one looks fine, you pretty much want to perform the same sanitizing you do when a username is initially registered, then check for the row count, which you've clearly done.

However, why the need for sprintf?

Because when appropriately formatted, it can provide a useful and readable understanding of the code? Although, when only one variable is used the benefit isn't as easy to determine.

Code php:

$sql = sprintf('SELECT username FROM users WHERE username = "%s"',
        mysqli_real_escape_string($link, $user)
);
$find_user = mysqli_query($link, $sql);

It might also be usefully formatted like this:

Code php:

$sql = 'SELECT username' .
    ' FROM users' .
    ' WHERE username = "' . mysqli_real_escape_string($link, $user) . '"';
$find_user = mysqli_query($link, $sql);

Or if it were in its own function, perhaps something like this:

Code php:

$user = mysqli_real_escape_string($link, $user);
 
$sql = 'SELECT username' .
    ' FROM users' .
    ' WHERE username = "' . $user . '"';
$find_user = mysqli_query($link, $sql);

**Arkh** · May 13, 2011 00:23

You are using mysqli, why don't you also use one of its most important possibilities : prepared statements ?

**paul_wilkins** · May 13, 2011 00:26

Originally Posted by Arkh

You are using mysqli, why don't you also use one of its most important possibilities : prepared statements ?

You'll find that prepared statements were suggested, complete with sample code, in this post

I suspect that the OP might find them too unusual to warrant with, but prepared statements are the safest way to pass variables to the database.

**Arkh** · May 13, 2011 00:29

Originally Posted by paul_wilkins

You'll find that prepared statements were suggested, complete with sample code, in this post

I suspect that the OP might find them too unusual to warrant with, but prepared statements are the safest way to pass variables to the database.

As he is using sprintf to format his sql strings, I think prepared statements are one step away as those are almost the same thing.

**oknow** · May 13, 2011 06:46

Thanks all.

Firstly, I'm glad I got something right!

re sprintf: in the past, before I knew better, I would have done it like this:

Code php:

$user = filter_input(INPUT_GET, 'user', FILTER_SANITIZE_STRING);
if (empty($user)) {
    header('Location: /');
    exit();
}
else {
$user = mysqli_real_escape_string($link, $user)
$find_user = mysqli_query($link, sprintf("SELECT username FROM users WHERE username = '$user'");
        $result = mysqli_num_rows($find_user);
            if ($result != 1) {
                $error = 'User not found.';
                include 'error.php';
                exit();
            }
            else {
            $g_user = $user;
        }
}

But I was under the impression that it was not correct as you are replacing the sanitized variable straight away and then letting it persist after the query, and that is fixed by the sprintf method I chose to use, or by:

Code php:

WHERE username = "' . mysqli_real_escape_string($link, $user) . '"';

If I understood correctly, as long as you escape variables WITHIN the query only, it is the right way.

re prepared statements: Paul has helped me out a lot recently and I have learned a great deal, and as he said he provided some examples.. but it just looks completely foreign to me right now.

It has taken me some months to get where I am (from not knowing how to even include a file, and I can now do quite a bit) with procedural style.

However, once I finish this site that I am working on, I fully intend to make another site and learn prepared statements.

**oknow** · May 13, 2011 07:21

Changed it around a little. I forgot about separating the sql query and the result. However it is more clear (to me) how to properly do that when it is a 'simple' query like an INSERT...

Seeing as though I have to do a mysqli_num_rows check... it just doesn't seem like I have the layout right around $result/$find_user. Seems kinda messy now... or is this fine?

Code php:

$sql = sprintf("SELECT username FROM users WHERE username = '%s'",
        mysqli_real_escape_string($link, $user)
    );
	$result = mysqli_query($link, $sql);
        $find_user = mysqli_num_rows($result);
            if ($find_user != 1) {
                $error = 'User not found';
                include 'error.php';
                exit();
            }

**paul_wilkins** · May 13, 2011 14:48

The indenting is kind of messy, but there are also some minor improvements that can be made too.

The mysqli_num_rows function is simple enough that the code should become even more easily understandable when it's moved inside of the if condition.
Using != is also a sloppy practice. With !== there tends to be less confusion and better accuracy.

And if you like, we can also put in a visual break between getting the result and doing something with the result.

Code php:

$sql = sprintf("SELECT username FROM users WHERE username = '%s'",
    mysqli_real_escape_string($link, $user)
);
$result = mysqli_query($link, $sql);
 
if (mysqli_num_rows($result) !== 1) {
    $error = 'User not found';
    include 'error.php';
    exit();
}

**oknow** · May 13, 2011 18:42

Thank you Paul, that looks better. And thanks for the != tip too, looked that up and I understand why - have replaced it throughout my code.

User Tag List

Thread: sanitize $_GET and set to variable

Thread Tools

Display

sanitize $_GET and set to variable

Bookmarks

Bookmarks

Posting Permissions