I have a page where I am going to let a user call it like this below

test.php?id=1,2,3,4,5

On my php page I am taking the value of $_GET['id'] and using it like this

$sql = 'SELECT * FROM friend WHERE auto_id in('.$id.')';

$result2= executequery($sql);

So can someone help me to make sure this variable is always good, for instance I want to make sure it never ends with , because if it's like this 1,2,3,4, it would give errors from mysql

if (substr($id, -1) == ',') {
   // set a default value or something here
   $id = '1,2,3';
}
$sql = 'SELECT * FROM friend WHERE auto_id in('.$id.')';

That'll check if the last character on $id is a comma, if it is, set a default $id to '1,2,3'.

jasondavis wrote:

because ... it would give errors from mysql

If you were inserting it straight into a database query which is something you should NEVER do with user-supplied input.

Which is of course why you're wanting to parse and validate the input - not because a trailing comma would "give errors from mysql" but because you don't want to get thoroughly burned.

A PCRE regular expression would be

\d+(,\d+)*

More checking (to avoid things like 235743587632857648756357836578265782652657827826578265782657825,23875628562378562378562785627856278567823657826578265782 or 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6)

$ids = array_unique(array_map('intval', explode(',', $_GET['id'])));
$id_string = join(',', $ids);

wow thanks that is perfect exactly what I wanted in the end result, I would of never been able to piece that together, thanks

Weedpacket wrote:

If you were inserting it straight into a database query which is something you should NEVER do with user-supplied input.

Which is of course why you're wanting to parse and validate the input - not because a trailing comma would "give errors from mysql" but because you don't want to get thoroughly burned.

A PCRE regular expression would be

\d+(,\d+)*

More checking (to avoid things like 235743587632857648756357836578265782652657827826578265782657825,23875628562378562378562785627856278567823657826578265782 or 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6)

$ids = array_unique(array_map('intval', explode(',', $_GET['id'])));
$id_string = join(',', $ids);

I have 1 more question, with the code above, is it possible to limit how many ID number are put in, for example I would like to prevent users from using more then 10 id's if possible

After you have your array of ids, do a count() and either report an error or simply snip off the extra ids.

I tried

$count = count($id_string);
echo $count;

but it prints 1

Hi,

you need to count the number of items in the id array:

count($ids)

ok that makes sense and works, so now im looking for a way to cut off anythaing in the array cound higher then 10 items any ideas?

There are several ways .... here are two:

1. have a look at the array_slice function
2. modify the pattern if you're using preg_match

I was able to get it working by adding a number to explode function

$ids = array_unique(array_map('intval', explode(',', $id,5)));

//instead of 

$ids = array_unique(array_map('intval', explode(',', $_GET['id'])));