0

I've used strip_tags, is there a better way to secure this query? the value will always be numeric,

It's being displayed like this http://www.somesite.com/listing.php?id=5
The id will always be a different number not always 5 depending on the listing

$sql = "SELECT * FROM listings where id=" . strip_tags($id) . "";
4
Contributors
3
Replies
4
Views
8 Years
Discussion Span
Last Post by somedude3488
0

I found this a month or two ago:

addcslashes($id, "\x00\n\r\'\x1a\x3c\x3e\x25");

Can't remember what it prevents from being entered. Just recall that it was pretty secure when it comes to preventing SQL injection.

0
$Escaped = mysql_real_escape($String);

or

$Escaped = mysqli_real_escape($Connector, $String);

(Depending on connector used)

0

Either use the ingenious function like is_numeric() which checks if certain data (like an id in a url) is a number or use type-casting which will convert it to one no matter what.

Also, the mysql_real_escape_string() function was made for a reason.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.