save user input

lajkonik86

My code:

// grow views
if (isset($_GET['u'])){
$_GET['u'] = $u;
mysql_query("UPDATE `phpbb_users` SET user_refs=user_refs+1 WHERE `user_id` = '$u' LIMIT 1 ;") or die(mysql_error());
mysql_query("UPDATE `phpbb_stats` SET stats_refs=stats_refs+1 WHERE `stats_day` = NOW( ) LIMIT 1 ;") or die(mysql_error());
if (mysql_affected_rows()==0)  {
mysql_query("INSERT INTO `phpbb_stats` ( `stats_refs` , `stats_day` )VALUES ('1', NOW( ));") or die(mysql_error());
}
}

Problem is the $_GET['u'] = $u;
I think i have a bit of a security hole there. how do i make this secure?

Thanks!

leatherback

Hi,

well, I think also you should reverse the statement.

$u = $_GET['u'];

Besides that, you might be looking for this

lajkonik86

:queasy: stupid me

That article was indeed what i was looking for. Thanks 🙂
How would i go about allowing a variable to contain sollely numbers?

Installer

ctype_digit()