Passing values through URL

StephenL

Hello all!

I pass values through a URL to my script, I grab these values and run this function
or that depending on the value. I friend of mine told me this is not really safe and
that people can add SQL to the end of it to cause problems.

E.G URL

http://www.mysite.com/index.php?id=10

Could look like this

http://www.mysite.com/index.php?id=10;delete form tbltablename

Not really sure what that would do, have not tested it out. How would one go about
guarding against something like that? would

urlencoding();

before
I send it help stop it? I guess when I'm using numeric values I could just cast it
to make sure it's a int value.

Anyway any suggestion and ideas would be great, thanks for your time.

Stephen

NogDog

If in your example you are using the value in $_GET['id'] in a database query, then you should ensure either that it is an integer by casting it as such, or else escape it via the applicable escaping mechanism for the database interface you are using (e.g. [man]mysql_real_escape_string/man for the basic MySQL extension). This holds true for any externally supplied data being used in a query.