0

I use this php code to check the variable that I get from the URL to protect my Database from URL injection :

if(isset($_REQUEST["u_i"]))
{//echo $_REQUEST["u_i"];exit;
if(!is_numeric($_REQUEST["u_i"]))
{
//echo $_REQUEST["u_i"];exit;
header('Location:index.php');
}
else 
{//echo $_REQUEST["u_i"];       
$id_raw = trim(htmlentities($_REQUEST["u_i"]));
$visitor_id = mysql_real_escape_string($id_raw);
}
}

I want to know what should I edit in this code to use it on the $_POST array variables (user input text not numbers) like (comments from users, text blocks) because I use this part to direct users to index if the url variable contain a text not number :

if(!is_numeric($_REQUEST["u_i"]))
    {
    //echo $_REQUEST["u_i"];exit;
    header('Location:index.php');
    }

so how could I check a variable which have text securely ?

Basel
  • 359
  • 3
  • 16
  • You should to do validation specific to the content of the field. If it's an email, you need to test that it looks like `account@domain`. If it's a username, you should test that it only contains the characters you allow in usernames. There's no simple answer. – Barmar Jun 13 '14 at 12:21
  • 1
    You can’t validate data if its model is not restricted, i. e., anything is allowed. However, you don’t even need any validation for protecting against SQL injections if you stick to prepared statements and pass the values as parameters. Have a look at [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/q/60174/53114) – Gumbo Jun 13 '14 at 12:28

0 Answers0