Basically I have to create a website for this community project our class in school is doing. It is coded in entirely php and html because I hate writing javascript. Cut to the chase, there is a photo gallery and a semi-secret log in that you can log into for a single session to upload pictures. The upload itself I believe is pretty secure I believe.

But to the main point, the gallery uses get to filter through the pages. Here is a sample code

$page = $_GET['page'];
if((preg_match('/[^0-9]/',$page)) || ($page > $pages)) {
	echo 'Invalid operation on variable: PAGE';
	if($page == null) $page = 1;
        $glob = glob('images/thumb_*.jpg');
	$count = count($glob);
	$pages = ceil($count / 16);
	$c = $page * 16;	
	for($x=0;$x<4;++$x) {
			for($z=0;$z<4;++$z) {
			echo'<td width="25%" height="110"><a href="view.php?image='.sibstr($glob[$c],13) .'.jpg"><img src="'.$glob[$c].'.jpg" height="110" /></a></td>';

Before you pounce on me for the 'what if it isn't set' thing. I will change that when I go to move this website into production. Basically it loads all of the picture names into an array and loops through them via page number and displays them in a table. I am doing it this way because when it is all set in done there won't be thousands of pictures. But how will the performance stack up when there is a couple hundred?

Point 2:

The SSO login basically is a form that posts to itself and then if the forms are correct in regards to username and password it will create a session and redirect to the upload page.

What would be the best way to sanitize those forums? I trying mysql_real_escape_string but the function doesn't exist. Can I just preg_replace all non digit and letters out?

And for one more thing I use a $_GET to display an image, like ?image=2.jpg.

What would be the best way to cleanse those? I tried google, but I get a lot of outdated pages.

Hi create a function to sanitize your input variables and then pass the string as a parameter to that function.

function clean($str) 
	$str = @trim($str);
		$str = stripslashes($str);
	return mysql_real_escape_string($str);

// When you want to sanitize use 

$string = clean($_GET['whatEver']);

What ever you place inside clean() will be returned back clean.

If you store your function in a separate php file such as functions.php so you can use it throughout the site remember to put a require in at the top of any page that will call the function.


$string = clean($_POST['whatEver']);

Hope this help


Okay, that does. Thanks

Glad it helped mark your thread as solved