In url query with id I use is_numeric($_GET['id']) for security issues. But in query with for example category name, is urlencode() a right way for security?
Thanks in advance.
views:
31answers:
1
+2
A:
No, urlencode is used to make strings take URL encoded form.
Unlike with a numeric ID, there is no one single method of sanitizing a string input value. What method you need to use depends on what you want to do with the category name.
For example:
If you want to use it in a query, run at least a
mysql_real_escape_string()on it or (better) use a database class that supports parametrized queries (like PDO). With parametrized queries, PDO will take care of securely sanitizing any incoming parameters.If you want to output it on a page, you need to run
htmlentities()on it before outputting to prevent injection of HTML code.
there are other things to take care of when using the category name as a file name, when using it as part of an URL and so on and so on.
Pekka
2010-05-01 06:34:21
index.php?page=blahblahwhat about index.php?page=http://stackoverflow.com/questions/2749108/urlquey-and-security ?I want to print only database items to screen.
2010-05-01 06:37:10
@jasmine if you want to include the file specified in `page`, you need to be extra careful. See http://stackoverflow.com/questions/1799384/how-can-i-sanitize-my-include-statements
Pekka
2010-05-01 06:38:56
@pekka;I know this but I dont want to include a page. This is a simple query:$page = urlencode($_GET['page']);$sql = sprintf('SELECT * FROM table WHERE name = %s', mysql_real_escape_string($page));$page is not numeric.
2010-05-01 06:43:36
@jasmine I see. Don't use `urlencode` for incoming data; otherwise this query should be okay and safe.
Pekka
2010-05-01 06:45:08
I ask this question pekka, how can it safe with url query? Thanks for help
2010-05-01 06:49:24
@jasmine what do you mean by URL query?
Pekka
2010-05-01 06:50:39
@pekka ;Thanks for htmlentities() ;)
2010-05-01 07:05:05