Hi
I'll get straight to the point. I'm using this code

$sex = @$_GET['v'] ;
  $sex= trim($sex); //trim whitespace from the stored variable
$sex = htmlentities($sex);

  $age= @$_GET['age'] ;
  $age = trim($age); //trim whitespace from the stored variable
$age = htmlentities($age);

... to get the age and sex credentials from the url address (example.com/page.php?age=22&sex=Female)
and this:

$query = "SELECT * FROM personas WHERE sex LIKE \"%$sex%\" AND age LIKE \"%$age%\" order by id DESC";

... to interogate the database and get the results displayed on page. It is working fine, but I know it is not secure, so my questions are:
- How to make it safer?
- How to make it do nothing if values don't exist in database - for example if there's nobody age 22, do nothing, or popup a message.
- How to make it check if age doesn't contain other characters beside numbers, and again, if it does, do nothing or display a message.
- Same as above, but to check sex for letters and popup the message if anything else is used as sex.
Thanks for your help!

Recommended Answers

All 12 Replies

Personally, I would use is_numeric() on the age as an extra check, as well as checking an upper and lower boundary (say 0-110). For sex I would explicitly check for your allowed values, or maybe default to one of them if the data is incorrect.

Sorry, I must gave the impression I'm an expert :)
Would you kindly write the code that will do the trick? I don't know much about php and mysql :(
Thank you!

Sorry, I must gave the impression I'm an expert :)
Would you kindly write the code that will do the trick? I don't know much about php and mysql :(
Thank you!

to secure a web app from XSS, validate input against whitelist and discard anything not in white list. Also escape output in case something was missed and got through your line of defense!
implementation differs and that is programming!

Member Avatar for diafol

is_numeric() or maybe is_int() for integers. Each data item should be validated against the expected data type and constraints. You can check for complicated patterns with preg_match().

If using DBs, the standard cleaner is mysql_real_escape_string().
You can convert html to plain text (showing tags) with htmlentities.
Also you can use strip_tags() to remove all tags other than ones you wish to allow.

e.g.

$tagless = striptags($input,'<p><b><strong>');

This will allow only paragraph, and bold/strong tags to remain in $tagless - uselful for stripping <script> tags.

If using DBs, the standard cleaner is mysql_real_escape_string().

Moving to MySQLi or PDO and do parametric queries is the recommended way !

Member Avatar for diafol

Agree Ev - I prefer PDO via binding parameters. But coders starting out usually begin with vanilla mysql.

Agree Ev - I prefer PDO via binding parameters. But coders starting out usually begin with vanilla mysql.

Which I always don't like as it becomes their behaviour :)

Member Avatar for diafol

Well you could argue that, but PDO, as its OOP, can be a little difficult to grasp - especially if your trying to get to grips with basic SQL. However, I would recommend moving to PDO asap.

Well you could argue that, but PDO, as its OOP, can be a little difficult to grasp - especially if your trying to get to grips with basic SQL. However, I would recommend moving to PDO asap.

Yeah, PDO is OOP and OOP is not that hard ;)
If they find it hard, MySQLi have non OOP way also of doing param queries

Member Avatar for diafol

Yep MySQLi has procedural way - but I'm a PDO convert now that I've got my head into OOP. And don't say OOP isn't hard! It took me 5 years to knock on the door! :)

And don't say OOP isn't hard! It took me 5 years to knock on the door! :)

:)

Thanks evstevemd and Ardav, this was helpful content! :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.