In url query with id I use is_numeric($_GET['id'])
for security issues. But in query with for example category name, is urlencode()
a right way for security?
Thanks in advance.
views:
31answers:
1No, urlencode
is used to make strings take URL encoded form.
Unlike with a numeric ID, there is no one single method of sanitizing a string input value. What method you need to use depends on what you want to do with the category name.
For example:
If you want to use it in a query, run at least a
mysql_real_escape_string()
on it or (better) use a database class that supports parametrized queries (like PDO). With parametrized queries, PDO will take care of securely sanitizing any incoming parameters.If you want to output it on a page, you need to run
htmlentities()
on it before outputting to prevent injection of HTML code.
there are other things to take care of when using the category name as a file name, when using it as part of an URL and so on and so on.