Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 7 of 7
  1. #1
    Junior Member
    Join Date
    Feb 2014
    Posts
    10
    Member #
    38385

    validating parameters in php

    I have a php page on my website that accepts an id as a parameter, looks it up in a database and displays that records details.

    What is the best way of validating that
    a) the value passed in is a number, and
    b) that number exists in the database and if not it redirects to a 404.

    I also need it to check a forsale column but I could probably work that out based on the other two answers.

  2.  

  3. #2
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,686
    Member #
    5580
    Liked
    716 times
    Describe your database ... MySQL, MySQLi ?

    With MySQLi ("i" means "improved"), you don't really need to worry about SQL injections.

    The ID thing ... test to make sure it's an integer.

    $x = 23;
    if (! is_int($x)){
    echo "it's not an integer.";
    }


    Google MySQLi, and use MySQLi instead of MySQL.


  4. #3
    Junior Member
    Join Date
    Feb 2014
    Posts
    10
    Member #
    38385
    My phpMyAdmin says I'm on msql-cll-lve 5.5.34 but underneath that it shows PHP extension mysqli so I'm not sure.

    On your example would you just echo out an error message if invalid or else load the rest of the page, or can you redirect the page to a 404 page if this is invalid.

  5. #4
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,686
    Member #
    5580
    Liked
    716 times
    The redirect to 404 is questionable. It depends on who is entering the wrong number. If the website is used only for people that understand how the system works, and nobody else uses the website, you could redirect to 404. The user would know that they entered a wrong ID. Anyone else entering the wrong ID would be clueless.

    If the website is supposed to be used by "anyone", redirecting to 404 would be a bad idea, because they would not have a clue as to why they were redirected. They would assume your site is down or broken and leave.

    Perhaps you can use PHP SESSION to keep track of how many tries the user made. If they fail validation, tell them why they failed and send them back to the login page. If they fail more than 3 times, you lock them out and make them close their browser to clear the PHP SESSION. Spammers would not spend the time to keep doing that in an attempt to brute-force the ID, and javascripts/robots would fail because they can't handle the SESSION/COOKIE situation.


  6. #5
    Member djitsz's Avatar
    Join Date
    Jan 2014
    Posts
    67
    Member #
    38199
    Liked
    17 times
    You can't use is_int in this case as it requires the type of the variable to be an integer. The value in $_POST['id'] will be a string even if it represents an integer. Use is_numeric instead which will also return true if the value represents an integer (like "10").

    Make sure that you are using the MySQLi functions (starting with mysqli_) rather than the MySQL functions (starting with mysql_) as the latter are now deprecated and have security issues. Using PDO (lots of tutorials on Google) is even better.

    Also note that using MySQLi is no barrier to SQL injection attacks as by default it has no way of knowing what part of a query comes from the programmer and what part comes from an un-trusted source (such as a web form). In this case, using is_numeric on the $_POST['id'] variable before querying the database suffices to prevent SQL injection.

    Use something like the following (assuming procedural use of MySQLi rather than OOP):
    Code:
    $id = is_numeric($_POST['id']) ? $_POST['id'] : null;
    if($Id) {
      $result = mysqli_query($connection,"SELECT * FROM `table` WHERE `id` = $id;");
      if(!$result) die("Error querying database");
      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
      if(!$row) {
        header("HTTP/1.0 404 Not Found");
        header("Location: 404.html");
      }
    }
    Good luck!

    Jitse

  7. #6
    Junior Member
    Join Date
    Feb 2014
    Posts
    10
    Member #
    38385
    It's a simple site where the links off the main page all having a valid ID so I don't see a scenario where someone ends up with a bad link.

    But I'm scared that people will see ?id=2314 and then try different numbers. Or if I send out links they may be valid at the time but in 3 or 4 months time they might not be.

  8. #7
    Junior Member
    Join Date
    Feb 2014
    Posts
    10
    Member #
    38385
    Quote Originally Posted by djitsz View Post
    You can't use is_int in this case as it requires the type of the variable to be an integer. The value in $_POST['id'] will be a string even if it represents an integer. Use is_numeric instead which will also return true if the value represents an integer (like "10").

    Make sure that you are using the MySQLi functions (starting with mysqli_) rather than the MySQL functions (starting with mysql_) as the latter are now deprecated and have security issues. Using PDO (lots of tutorials on Google) is even better.

    Also note that using MySQLi is no barrier to SQL injection attacks as by default it has no way of knowing what part of a query comes from the programmer and what part comes from an un-trusted source (such as a web form). In this case, using is_numeric on the $_POST['id'] variable before querying the database suffices to prevent SQL injection.

    Use something like the following (assuming procedural use of MySQLi rather than OOP):
    Code:
    $id = is_numeric($_POST['id']) ? $_POST['id'] : null;
    if($Id) {
      $result = mysqli_query($connection,"SELECT * FROM `table` WHERE `id` = $id;");
      if(!$result) die("Error querying database");
      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
      if(!$row) {
        header("HTTP/1.0 404 Not Found");
        header("Location: 404.html");
      }
    }
    Good luck!

    Jitse
    Thanks for the suggestions I'll look into them. I don't know if I should really be that bothered about sql injection as there is only one table with product information and if anything changes it shouldn't really affect anything.


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 05:25 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com