numbers only?

jasondavis

Is there a way to make sure $friendid is only a number and not anything else?

if($friendid!='' )
	{

	$sql = mysql_query("SELECT * FROM friend_reg_user WHERE username='$friendid'");
	$result = mysql_num_rows($sql);
		if($result=="0"){

		} else {
		$sql="insert into friend_friend (userid,friendid,status,submit_date,alert_message) values ('$last_id','$friendid','Approve',now(),'no')";
		executeQuery($sql);
		$sql="insert into friend_friend (userid,friendid,status,submit_date,alert_message) values ('$friendid','$last_id','Approve',now(),'no')";
		executeQuery($sql);
       }
}

etully

This will remove anything from the string that is not a number:
$friendid = ereg_replace("[^{0-9]","",$friendid);}

This will make the page stop if the variable has any non-numbers:
if (ereg("[^{0-9]",$friendid))} { print "bad things happening"; exit; }

jasondavis

thanks 🙂

NogDog

You might also want to look at [man]ctype_digit[/man] for probably the best speed.

if(ctype_digit($friendid))
{
   // valid
}
else
{
   // NOT valid
}

Another option is simply to cast the value to an integer:

$friendid = (int) $friendid;

bradgrafelman

And also note that the ereg()/eregi() functions shouldn't be used - they're deprecated in favor of the [man]PCRE[/man] functions. But as NogDog points out, regular expression matching isn't needed here at all.

Either way, don't forget to mark this thread resolved.