views:

31

answers:

1

In url query with id I use is_numeric($_GET['id']) for security issues. But in query with for example category name, is urlencode() a right way for security? Thanks in advance.

+2  A: 

No, urlencode is used to make strings take URL encoded form.

Unlike with a numeric ID, there is no one single method of sanitizing a string input value. What method you need to use depends on what you want to do with the category name.

For example:

  • If you want to use it in a query, run at least a mysql_real_escape_string() on it or (better) use a database class that supports parametrized queries (like PDO). With parametrized queries, PDO will take care of securely sanitizing any incoming parameters.

  • If you want to output it on a page, you need to run htmlentities() on it before outputting to prevent injection of HTML code.

there are other things to take care of when using the category name as a file name, when using it as part of an URL and so on and so on.

Pekka
index.php?page=blahblahwhat about index.php?page=http://stackoverflow.com/questions/2749108/urlquey-and-security ?I want to print only database items to screen.
@jasmine if you want to include the file specified in `page`, you need to be extra careful. See http://stackoverflow.com/questions/1799384/how-can-i-sanitize-my-include-statements
Pekka
@pekka;I know this but I dont want to include a page. This is a simple query:$page = urlencode($_GET['page']);$sql = sprintf('SELECT * FROM table WHERE name = %s', mysql_real_escape_string($page));$page is not numeric.
@jasmine I see. Don't use `urlencode` for incoming data; otherwise this query should be okay and safe.
Pekka
I ask this question pekka, how can it safe with url query? Thanks for help
@jasmine what do you mean by URL query?
Pekka
@pekka ;Thanks for htmlentities() ;)