开发者

Counting MySQL rows, stopping people from entering characters

问答 作者:

I was wondering how I could stop people from doing this; blahblah.com/index.php?id=../../file.开发者_开发技巧php

I was told I could stop this from happening by counting mysql rows...?

you can simply use PHPs is_numeric on $_GET['id'], or force the id to a number

You can check first if it's a numeric value like Nayena said, then you can use a MySQL request to check the row count on this id. If it's 1, then it's valid, otherwise there is a problem in the request

EDIT (Example) :

<?php
if(is_numeric($_GET['id']))
{
    $id = $_GET['id'];
    $count = mysql_result(mysql_query("SELECT COUNT(*) FROM table WHERE id=".$id));
    if($count == 1)
    {
        //Id is valid, moving on...
    }
    elseif($count == 0)
    {
        //Id doesn't exist, display error message
    }
    else
    {
        //Id exists more than 1 time, meaning there is a serious issue.
        //Display error message or send email to webmaster
    }
}
else
{
    //Display error message (incorrect format for example)
}
?>

You can do the following:

<?php
$id = isset($_GET['id']) ? (int)$_GET['id'] : false;

if ($id) {
    // do your thing..
} else {
    echo 'invalid item..';
}

IF $_GET['id'] isn't set, or it's 0 then "invalid item" will be displayed. The (int) will also cast strings to 0.

Another solution:

<?php
$id = isset($_GET['id']) ? $_GET['id'] : false;

if ($id && is_numeric($id)) {
    // run mysql query here
} else {
    echo 'Invalid item..';
}

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9