Using is_numeric for form validation
Question
I have some links structured as follows...
http://domain.com?problem_id=23&course_id=4
The expected values from the GET "fields" (problem_id and course_id) are to be integers. Can I validate this data by simply saying...
if (is_numeric($_GET['problem_id'])){
//It's safe, so do stuff.
} else {
echo 'It appears you submitted a problem incorrectly. Please contact us for assistance';
exit;
}
Or is this still open to nastiness like sql injection, etc.?
PROPOSED SOLUTION
$int_problem_id = (int) $_GET['problem_id'];
if (ctype_digit($int_problem_id)){
//It's safe, so do stuff.
} else {
echo 'It appears you submitted a problem incorrectly. Please contact us for assistance';
exit;
}
2 answers
solution1
2 ACCPTED 2013-06-22 17:10:22
Yes, it is a solution. Also, you can additionally cast to int.
$integer = (int) $_GET['problem_id'] ;
You should secure all the input for your database even though numeric values will do no harm as they do not contain special symbols.
solution2
1 2013-06-22 17:09:10
You would have ensured that ?problem_id= is numeric. All of your other fields may still be at risk though, so this isn't the proper way of securing against SQL injection. You should look into PDO and MySQLi, and their bindParam / bind_params functions.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.