0

I'm using PDO's bindParam.

This is the function which checks every GET variable on the website. After changing it will echo it out:

function Check_Get_Param($val){
    $value1=addslashes($val);
    $string1=htmlspecialchars($value1);
    $string2=strip_tags($string1);
    $string3=intval($string2);
    return $string3;
}

Hhere this will output the result:

Check_Get_Param($_GET['id']);

Now the idea is any id or id= any or id = %

$_GET['id'] = % will result 0 as % is not integer. How to allow % also?

How do I modify this function or any other function that I could filter the GET parameters so I could keep out the web from injections?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
SAR
  • 1,765
  • 3
  • 18
  • 42
  • If you want to allow numbers or a `%` but nothing else, you'll probably need to add a small if statement validating that before you pass it into bindParam, because the answer below will allow strings to be passed in, and if you force your bindParam to be an integer the `%` will come out as zero or return false – scrowler Jun 10 '14 at 03:10
  • yes, even i have done($sth->bindParam('refone', $refone, PDO::PARAM_INT); but , here i want only(initer + %) to be allowed else any other text should be deny – SAR Jun 10 '14 at 03:11

3 Answers3

4

You don't need these procedures to prevent sql injection because PDO's bindParam already take care of that. You just need

$sth = $db->prepare('... id = ? ...');
$sth->bindParam(1, $_GET['id']);
$sth->execute();
Fabricator
  • 12,722
  • 2
  • 27
  • 40
  • Thanks, i have did that, just wana be sure. – SAR Jun 10 '14 at 02:55
  • @abas_rafiq, bindParam will escape what you already escaped, and that is probably not what you wanted. – Fabricator Jun 10 '14 at 02:57
  • yes, thanks +1 for the attention. here i just wanted to do some checking before passing the variables to bindParam. so i created mentioned function. – SAR Jun 10 '14 at 03:15
  • @abas_rafiq it seems you still don't understand that whole function is useless, to say the least. – Your Common Sense Jun 10 '14 at 03:54
  • @YourCommonSense, at least this function will check and not let any script to be run in input, or GET variables – SAR Jun 10 '14 at 04:00
  • @abas_rafiq this function is just a scrapheap of useless and contradicting functions. – Your Common Sense Jun 10 '14 at 04:02
  • @YourCommonSense , what is ur sugestion if i want to create a function to check every variable(GET,POST,ECHO) any keep the web safe. ??? – SAR Jun 10 '14 at 04:08
  • @abas_rafiq 1. You have to understand functions you are using, and use them wisely. Instead of just piling up as much functions as possible without any reason or sense. 2. You have to understand than no such function ever possible. Read here: http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – Your Common Sense Jun 10 '14 at 04:11
  • @YourCommonSense, dear i am using arabic input and output, those example do not works for me if i do real-escaping the arabic text will fully ignored will result noting.. thes function i made shows the arabic and atleast it will keep any injection away. – SAR Jun 10 '14 at 04:19
  • 1
    @abas_rafiq your profile says you want to learn but your comments say you don't – Your Common Sense Jun 10 '14 at 04:27
  • @YourCommonSense,haha, i mean it in good way, i really appreciate your comments, but i tried many time those example to make my web app secure and filter any kind of text before input, those works fine with english but when i input arabic then again i fine in database blank any, way my comment was not to disrespect u, if u think such sorry. – SAR Jun 10 '14 at 04:47
0

PHP 5 (version >= 5.2.0) has a convenient set of data filtering functions. These functions allow validating common things such as emails and URLs, which would otherwise require complex regular expressions that don’t always work. These functions are filter_var(), filter_input(), filter_id() , etc.

This way you never have to touch the raw input via the $_GET or $_POST arrays. See examples provided in the documentation.

agamike
  • 479
  • 3
  • 5
  • 1
    i check this as correct answer for me, just because it point me to right place to search for the answer. – SAR Jun 10 '14 at 03:13
0

A specific function to check your desired validation easily might be:

function validateID($id) {
    return ($id == '%' || is_numeric($id));
}

Then you can do something like this to allow numbers or % but nothing else:

if(!validateID($_GET['id'])) {
    die('Wrong parameter type - validation failed!');
}

$stmt->bindParam(1, $_GET['id']);
scrowler
  • 24,273
  • 9
  • 60
  • 92