PHP filter(sanitize) $_GET to use in mysqli query?

Question

What would be the best or right way to get the value from the url using $_GET['id'] and to use it in a mysqli query?

Currently i'm using a regular expresion :

$id = preg_replace('/{([a-zA-Z0-9]+)}/', '', $_GET['id']);

but I don't know if this is the right or best way to do this.

Please explain your answer.

@MariaGheorghe nonsense. `It it works` does not mean it works the right way — Marcin Orlowski, Nov 29 '14 at 15:19
Is your question about forgoing database escaping / parameter binding? (← Which would be easier!) — mario, Nov 29 '14 at 15:21
@MArchin you dnt need a special theniq to do such a simnple task , can be done in 1 milion ways — Maria Gheorghe, Nov 29 '14 at 15:22
*"I need to check the passed value against the databse"* - I'm splitting hairs here; what's the real question, check if ID exists? — Funk Forty Niner, Nov 29 '14 at 15:23
Simple or not, things should be done **right** way. Any shortcuts, especially driven by not understanding the problem in first place (which this question is good example of, hence preg_replace() or input_filter suggestions) are definitely bad and must be avoided. — Marcin Orlowski, Nov 29 '14 at 15:24
I just need to check if this id(parameter) exists in the database before the script continues. I was only wondering if i'm getting the variable the right way to then use it in a mysqli string. — Zenel Shabani, Nov 29 '14 at 15:25
...use `mysqli_num_rows()` or PDO's `rowCount()`. *I knew it*. — Funk Forty Niner, Nov 29 '14 at 15:26

score 2 · Answer 1 · edited Nov 26 '19 at 18:25

If you are already using mysqli then you don't need to take the pains of sanitization in your hands for basic stuff. You can use prepared statements which will take care of those

if (isset($_GET["id"])) {
    $id = $_GET['id'];
    $stmt = $mysqli->prepare("SELECT abc FROM table WHERE id=?");
    $stmt->bind_param("i", $id);   // or s if its a string
    $stmt->execute();
}

You can review examples here to find out how to deal with the result:

get_result() in PHP Manual

score 0 · Accepted Answer · answered Nov 29 '14 at 15:21

0

You are reinventing the wheel. Depending on how you access db you may do not need do much (i.e. PDO will deal with this by itself) or use proper function to escape data, like mysqli_real_escape_string()

answered Nov 29 '14 at 15:21

Marcin Orlowski

72,056
11
123
141

PHP filter(sanitize) $_GET to use in mysqli query?

2 Answers2