get id from url security question

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

jonnyboy22
New php-forum User
New php-forum User
Posts: 1
Joined: Thu Sep 06, 2012 6:10 am

get id from url security question

Postby jonnyboy22 » Sat Sep 08, 2012 12:57 pm

Hello, I'm creating a basic blog and I'm using the following code. Its collecting the id (always a number) from the url and before I use it live I wonder if anyone could check the security of the code and let me know if its ok? Really don't want any injections etc want to keep it as secure as possible.

Code: Select all

<?php
if(is_numeric($_GET['id']) && $_GET['id'] > 0){

include("connectionfile.php");


$ia = intval($_GET['id']);
$ib = mysql_real_escape_string($ia);
$ic = strip_tags($ib);

$qProfile = "SELECT * FROM #### WHERE id='$ic'  ";
$rsProfile = mysql_query($qProfile);
$row = mysql_fetch_array($rsProfile);
extract($row);
$title = trim($title);
$post = trim($post);
$date = trim($date);
mysql_close();

}else{
   echo 'hack error here';

}


?>



think this is secure but feedback is appreciated :)

johnj
php-forum Super User
php-forum Super User
Posts: 1805
Joined: Thu Mar 10, 2011 5:07 pm

Re: get id from url security question

Postby johnj » Sun Sep 09, 2012 6:04 am

use require_once so that php stops execution if the file is not found.

do not use $_GET() directly. use isset() to get if it has a value.

after you have executed a sql query, check if the return value is not false.


Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 1 guest