使用is_numeric进行表单验证
[英]Using is_numeric for form validation
问题描述
I have some links structured as follows... 
我有一些结构如下......
http://domain.com?problem_id=23&course_id=4
The expected values from the GET "fields" (problem_id and course_id) are to be integers. GET“fields”(problem_id和course_id)的期望值是整数。 Can I validate this data by simply saying... 我可以简单地说......来验证这些数据吗?
if (is_numeric($_GET['problem_id'])){
//It's safe, so do stuff.
} else {
echo 'It appears you submitted a problem incorrectly. Please contact us for assistance';
exit;
}
Or is this still open to nastiness like sql injection, etc.? 或者这仍然像sql注入等那样肮脏吗?
PROPOSED SOLUTION 建议的解决方案
$int_problem_id = (int) $_GET['problem_id'];
if (ctype_digit($int_problem_id)){
//It's safe, so do stuff.
} else {
echo 'It appears you submitted a problem incorrectly. Please contact us for assistance';
exit;
}
2 个解决方案
解决方案1
2 已采纳 2013-06-22 17:10:22
Yes, it is a solution. 是的,这是一个解决方案。 Also, you can additionally cast to int. 此外,您还可以转换为int。
$integer = (int) $_GET['problem_id'] ;
You should secure all the input for your database even though numeric values will do no harm as they do not contain special symbols. 您应该保护数据库的所有输入,即使数值不会造成任何损害,因为它们不包含特殊符号。
解决方案2
1 2013-06-22 17:09:10
You would have ensured that ?problem_id= is numeric. 您可以确保?problem_id=是数字。 All of your other fields may still be at risk though, so this isn't the proper way of securing against SQL injection. 您的所有其他字段可能仍然存在风险,因此这不是防止SQL注入的正确方法。 You should look into PDO and MySQLi, and their bindParam / bind_params functions. 您应该查看PDO和MySQLi及其bindParam / bind_params函数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.