url Query and Security

In url query with id I use is_numeri开发者_StackOverflowc($_GET['id']) for security issues. But in query with for example category name, is urlencode() a right way for security? Thanks in advance.

No, urlencode is used to make strings take URL encoded form.

Unlike with a numeric ID, there is no one single method of sanitizing a string input value. What method you need to use depends on what you want to do with the category name.

For example:

• If you want to use it in a query, run at least a mysql_real_escape_string() on it or (better) use a database class that supports parametrized queries (like PDO). With parametrized queries, PDO will take care of securely sanitizing any incoming parameters.

• If you want to output it on a page, you need to run htmlentities() on it before outputting to prevent injection of HTML code.

there are other things to take care of when using the category name as a file name, when using it as part of an URL and so on and so on.