simple PHP $_GET sanitization question

I have a record edit link that GETs a 7 character alphanumeric text string which is always ZZZZ111 in s开发者_如何学运维tructure and is then used in a MySQL query to pull all related data for that record id.

Is mysql_real_escape_string() all I need in terms of sanitizing this $_GET['id'] ? Or are there more steps to take to protect my database?

mysql_real_escape_string() will escape any malicious characters. In addition, you can use a regex like /^[A-Za-z]{4}\d{3}$/ to make sure that the user indeed entered a valid input.

To make input safe for an SQL query, mysql_real_escape_string() should be sufficient, though I suggest switching to PDO and prepared statements. They tend to be a little nicer to use, and a little more efficient (the statement is only parsed once, and the query can be re-used).

However, you also should make sure your pages are immune to cross-site scripting by (e.g.) filtering HTML from fields based on a whitelist.

If you plan on showing you data to users you would like to remove any HTML tags aswell. Maybe someone inserted a malicious javascript in a guestbook post for example?

this can be done with http://php.net/manual/en/function.htmlentities.php

Or you can use a inputfilter class to allow certain tags etc. I found this one very useful http://www.phpclasses.org/browse/package/2189.html

mysql_real_escape_string() is a good start, and I would agree that using prepared statements would be a pretty good choice. Zend_Db is nice if you want to look into some DB abstraction which can make PDO easier to work with.

I'd also take this as an opportunity to write some sort of RegEx validator for your input. A sample regex that could get you started is:

[A-Z]{4}[0-9]{3}

More info on PHP and regex can be found here: http://www.regular-expressions.info/php.html

mysql_real_escape_string should do the job for $_GET['id']. Also, take a look at prepared statements via PDO.