[RESOLVED] need help with string

jasondavis

I have a page where I am going to let a user call it like this below

test.php?id=1,2,3,4,5

On my php page I am taking the value of $_GET['id'] and using it like this


$sql = 'SELECT * FROM friend WHERE auto_id in('.$id.')';

$result2= executequery($sql);

So can someone help me to make sure this variable is always good, for instance I want to make sure it never ends with , because if it's like this 1,2,3,4, it would give errors from mysql

Horizon88

if (substr($id, -1) == ',') {
   // set a default value or something here
   $id = '1,2,3';
}
$sql = 'SELECT * FROM friend WHERE auto_id in('.$id.')';

That'll check if the last character on $id is a comma, if it is, set a default $id to '1,2,3'.

Weedpacket

jasondavis wrote:
because ... it would give errors from mysql

If you were inserting it straight into a database query which is something you should NEVER do with user-supplied input.

Which is of course why you're wanting to parse and validate the input - not because a trailing comma would "give errors from mysql" but because you don't want to get thoroughly burned.

A PCRE regular expression would be

\d+(,\d+)*

More checking (to avoid things like 235743587632857648756357836578265782652657827826578265782657825,23875628562378562378562785627856278567823657826578265782 or 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6)

$ids = array_unique(array_map('intval', explode(',', $_GET['id'])));
$id_string = join(',', $ids);

jasondavis

wow thanks that is perfect exactly what I wanted in the end result, I would of never been able to piece that together, thanks

Weedpacket wrote:
If you were inserting it straight into a database query which is something you should NEVER do with user-supplied input.

Which is of course why you're wanting to parse and validate the input - not because a trailing comma would "give errors from mysql" but because you don't want to get thoroughly burned.

A PCRE regular expression would be
\d+(,\d+)*
More checking (to avoid things like 235743587632857648756357836578265782652657827826578265782657825,23875628562378562378562785627856278567823657826578265782 or 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6)
$ids = array_unique(array_map('intval', explode(',', $_GET['id'])));
$id_string = join(',', $ids);

jasondavis

I have 1 more question, with the code above, is it possible to limit how many ID number are put in, for example I would like to prevent users from using more then 10 id's if possible

laserlight

After you have your array of ids, do a count() and either report an error or simply snip off the extra ids.

jasondavis

I tried

$count = count($id_string);
echo $count;

but it prints 1

tsinka

Hi,

you need to count the number of items in the id array:

count($ids)

jasondavis

ok that makes sense and works, so now im looking for a way to cut off anythaing in the array cound higher then 10 items any ideas?

tsinka

There are several ways .... here are two:

have a look at the array_slice function
modify the pattern if you're using preg_match

jasondavis

I been playing with this all day with no luck, im sure its really simple to someone who understands it better, if someone understand easily could you please help m, i'd be very greatful

jasondavis

I was able to get it working by adding a number to explode function

$ids = array_unique(array_map('intval', explode(',', $id,5)));

//instead of 

$ids = array_unique(array_map('intval', explode(',', $_GET['id'])));