I want to send a number of parameters from an application to a database table through PHP. I use the 'GET' method and want to set some restrictions to the variables and/or in some way make it safe as in the approach below. The good thing is that they can only contain greek letters, numbers and the .-, symbols.
Is this doing it correctly?
FORM:
<input type="text" name="a">
<input type=text" name="b">
URL:
http://the url.php?a=4,52&b=αβγδ.,-12345
What I want it to do, simply:
Show rows where id=x if the user sends an existing id and the correct key that is defined in the PHP file.
Safe approach [edited]:
$dbh=db_conn();
$vara = mb_convert_encoding($_GET["a"], 'UTF-8', 'ISO-8859-7');
$varb = mb_convert_encoding($_GET["b"], 'UTF-8', 'ISO-8859-7');
$sqlb = $dbh->prepare("SELECT * FROM table WHERE id = ? AND $vara='myknowkey';");
$sqlb->execute($varb);
