SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 35 of 35
  1. #26
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    PHP Code:
    $product_id intval($_REQUEST['product_id']);
    $qry "select * from product_table where product_id=" $product_id
    hi cp

    Also while displaying the product_id i will be using intval or htmlspecialchars
    PHP Code:
    <?
    echo intval($product_id);
    ?>
    vineet

  2. #27
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,071
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by vinpkl View Post
    hi cp

    Also while displaying the product_id i will be using intval or htmlspecialchars
    PHP Code:
    <?
    echo intval($product_id);
    ?>
    vineet
    It doesn't matter for an integer based value, however, if you want to always display a 0 or the actual number, intval() will be better suited. As htmlspecialchars will let it display non-numeric values (if product_id were to somehow contain non-numeric values).
    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  3. #28
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hi cp

    Does htaccess url Shortening/rewriting helps in avoiding sql injection

    vineet

  4. #29
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,071
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    No, as that data is simply passed back to your script.
    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  5. #30
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hi cp

    If i am already having mysql_real_escape_string in my query.

    Then is it required to add mysql_real_escape_string
    to the
    variable values of the <a href> url link also
    Code:
    <a href=products.php?dealerid=1&dealername='samsung'>
    Do i need to convert the above link to
    Code:
    <a href=products.php?dealerid=".intval(1)."&dealername=".mysql_real_escape_string('samsung').">
    EDIT : You already posted in your earlier post that mysql_real_escape_string is used only with where clause in query.

    But still wanted to confirm.

    vineet

  6. #31
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,071
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by vinpkl View Post
    hi cp

    If i am already having mysql_real_escape_string in my query.

    Then is it required to add mysql_real_escape_string
    to the
    variable values of the <a href> url link also
    Code:
    <a href=products.php?dealerid=1&dealername='samsung'>
    Do i need to convert the above link to
    Code:
    <a href=products.php?dealerid=".intval(1)."&dealername=".mysql_real_escape_string('samsung').">
    EDIT : You already posted in your earlier post that mysql_real_escape_string is used only with where clause in query.

    But still wanted to confirm.

    vineet
    No, but you may want to use urlencode() so that any characters such as & or = are converted to their hexidecimal format.
    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  7. #32
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hi cp

    what do we use to check whether value of intval is set or not

    PHP Code:
    $id=intval($_REQUEST['id']);

    if(!isset(
    $id)

    or

    if(
    $id == 0
    vineet

  8. #33
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,071
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by vinpkl View Post
    hi cp

    what do we use to check whether value of intval is set or not

    PHP Code:
    $id=intval($_REQUEST['id']);

    if(!isset(
    $id)

    or

    if(
    $id == 0
    vineet

    PHP Code:
    $id 0;
    if (isset(
    $_REQUEST['id']) && is_numeric($_REQUEST['id']))
    {
      
    //valid int
      
    $id intval($_REQUEST['id']); 

    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  9. #34
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    PHP Code:
    $id 0;
    if (isset(
    $_REQUEST['id']) && is_numeric($_REQUEST['id']))
    {
      
    //valid int
      
    $id intval($_REQUEST['id']); 

    hi cp

    If $id is not set then it will always return "0" instead of NULL

    vineet

  10. #35
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,071
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    With the way I wrote it, yes that is true. You can default it to null if you'd like.
    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •