3

I gave a pagination issue:

$num_por_pagina = 5; 
$paginac = $_GET[paginac]; 
if (!$paginac) {
   $paginac = 1;
}

I would like to take only integers numbers to avoid PHP / SQL injection

For example accessing:

http://www.mysite.com/index.php?paginac=3.3 or http://www.mysite.com/index.php?paginac=3,3

Resulting You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '4.6, 2' at line 7

From:

accessing www.mysite.com/index.php?paginac=3.3 or www.mysite.com/index.php?paginac=3,3

Resulting error, this page isn't active.

Daniel
  • 23,129
  • 12
  • 109
  • 154
Philip Sant'Anna
  • 41
  • 4
  • Please post the SQL query that is throwing the error (obfuscate any sensitive data, obviously). – Matt Jul 30 '12 at 19:25

5 Answers5

1

Missing quotes

$paginac = $_GET["paginac"];

also

www.mysite.com/index.php?page=3.3

you are passing "page" as get parameter, catch that parameter and not "paginac"

$paginac = $_GET["page"];

If you are getting error in mysql, please post code of that too.

amitchhajer
  • 12,492
  • 6
  • 40
  • 53
1

If you know you're going to receive a number (or should for that matter), you can cast it as a first line of defense: 

$paginac = (int) $_GET['page'];

page represents a constant. You should use quotes for the key.

If you receive non-numeric string, you will simply request page 0 instead.

Second, you will want to read up about how to prevent injections properly, rather than just using some hacks to get it right most of the time.

Community
  • 1
  • 1
phant0m
  • 16,595
  • 5
  • 50
  • 82
1

try 

$paginac = intval($_GET[paginac]);
voodoo417
  • 11,861
  • 3
  • 36
  • 40
0

It looks as though your test for is_numeric() is still allowing the SQL statement to be written and executed, which is throwing your error.

Make sure that if the GET variable is not numeric that the query does not execute.

Also, use quotes when accessing associative array indices. If you're passing paginac through get:

$paginac = $_GET['paginac'];

If you're passing page through get:

$paginac = $_GET['page'];
Matt
  • 6,993
  • 4
  • 29
  • 50
-1

I would do something like this:

if ($paginac < 2)
{
    $paginac = 1;
}

PHP will cast the variable to 1 if it's a string anyway, so this method will cast any text to 1 and also help against negative numbers

williamvicary
  • 805
  • 5
  • 20