0

I have a variable, that gets the value from the URL.

if (isset($_GET['page'])) {
    $getPage = $_GET['page'];
} else {
    $getPage = "";
}

if ($getPage == "" || $getPage == "1") {
    $page = 0;
} else {
    $page = ($getPage * 6) - 6;
}

After it get this value it sends a query to the database, to ask for information. How can I make sure that the input is numeric and doesn't exceed the available amount?

Here is the query: 

$query = "SELECT * FROM dbname LIMIT $page,6 ";
$select_all_list_items = mysqli_query($connection, $query);

Right now if i alter the url manually and put in a number that exceeds the page count, it shows nothing, or if I put in letters there it shows an error. In both cases I would like to redirect the user back to the first page.

Mohsen Rajabi
  • 13
  • 3
TacoCat
  • 459
  • 4
  • 21
  • to check if value is a string: http://php.net/manual/en/function.is-string.php – Vinc199789 Aug 08 '15 at 09:24
  • have you tried `header('Location: ...` I'd clean that logic up a bit too. – ArtisticPhoenix Aug 08 '15 at 09:31
  • Please read and follow: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 (once SQL Injection is *prevented*, all you need to worry about are business rules. A business rule might be "if no results then..") – user2864740 Aug 08 '15 at 09:32
  • Performing math on the value pretty much wipes out the possibility of sql injection. But you could use bindparam on it if using PDO, – ArtisticPhoenix Aug 08 '15 at 09:37

3 Answers3

1

First you'll need to retrieve the total pages from your database:

$countQuery = 'SELECT COUNT(*) FROM dbname';
$countResult = mysqli_query($connection, $countQuery);
$countResultRow = mysqli_fetch_row($countResult);
$numPages = intval($countResultRow[0]);

Then you will need to implement some checks to your get variable:

if ($numPages < 0) {
    throw new Exception('No pages to show!');
}

if (!is_numeric($getPage)) {
    $getPage = 1;
}

if ($getPage > $numPages) {
    $getPage = 1;
}

if ($getPage < 1) { 
    $getPage = 1;
}

Be careful passing GET values directly into your SQL query, this is a security risk as it can lead to database manipulation via URL. Read up about SQL injection for more information about "escaping" your data pre-query.

Dan Belden
  • 1,199
  • 1
  • 9
  • 20
1

To check numeric input and invalid page number,

$pageCount = $totalRecords / $recordsPerPage;
/* where $totalRecords is count of total records from db and $recordsPerPage is total rows per page */
if(!is_numeric($_GET['page']) || $_GET['page']>$pageCount){
    $getPage = "1";
}
Disha V.
  • 1,834
  • 1
  • 13
  • 21
0

Something, like this

 $page = 1;  //default page 1
 if(isset($_GET['page']) && preg_match('/[a-z]/i', $_GET['page'])){
    // if set and alpha
    header('Location: url of first page');
    exit;
 }else{
    //not sure of this part but ( that's what the OP has so i'll go with it )
    $page = ( $_GET['page'] * 6 ) - 6;  ///could be 0 on page 1 6*1-6, just saying
 }

Personally I'd run a query first to count the total rows, divide that by rows per page, for the total pages, and use that in the if statement... etc.

ArtisticPhoenix
  • 21,464
  • 2
  • 24
  • 38