-2

I am working on a Wordpress site and there is a feature we need that doesn't exist exactly the way we need it. Without creating a whole membership site we need to email users weekly emails with links to a dynamic page where they will be able to access the number of audio files based on their week (drip campaign). The emails don't come from Wordpress, they come from a CRM.

So: http://website.com/audiodownloadpage/?xyz=1 (they will be able to access one audio), http://website.com/audiodownloadpage/?xyz=2 (they will be able to access two audios) etc. etc.

This is the variable call using $_GET:

$abc = isset( $_GET[ 'xyz' ] ) ? $_GET[ 'xyz' ] : '';

I put the variable in the query_posts() function so it know how many to display.

I tried to add: 

addslashes(mysql_real_escape_string(strip_tags()))

on recommendation of another thread on SO, but it broke the page. I think I'm doing it wrong. Could someone show me how to get the same variable with the protections in place? It's for one page and a closed audience, so I risked using this method and I would like to protect it as much as I can.

semidivine
  • 23
  • 5
  • 2
    what are you going to do with value? – Muhammad Sumon Molla Selim Jun 16 '16 at 20:46
  • USE PDO! http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers, That's the ONLY way to be reasonably safe from SQL injection. – Tony Chiboucas Jun 16 '16 at 20:47
  • Possible duplicate of [What's the best method for sanitizing user input with PHP?](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php) – Tony Chiboucas Jun 16 '16 at 20:48
  • Using prepared statements with placeholders are the *only* way of protecting the user input, whichever API prefere - `mysqli_` or PDO. – Qirel Jun 16 '16 at 20:54
  • 2
    "...on recommendation of another thread on SO" what thread is that? So I can digitally punch whoever said that in the face. – PeeHaa Jun 16 '16 at 20:58
  • Is this being used in SQL? Show the usage of `$abc`. `$_GET` can be insecure in XSS injections as well. – chris85 Jun 16 '16 at 21:03
  • really its noting to do with $_GET any user input from nay source needs to be sanatised if its going to be used in a query. But if that's the case the best approach will depend on what api your db connection use. there's no one size fits all function here –  Jun 16 '16 at 21:34

2 Answers2

0

To protect the value when inserting it in database, use mysql_real_escape_string() if you are using mysql. But I would not recommend using it as it's deprecated and removed from PHP's latest version. A better choice would be: PDO or mysqli

If you want to use the value on a web page, you may want to protect it for XSS attack. In that case, use strip_tags() or htmlentities() functions.

Muhammad Sumon Molla Selim
  • 3,914
  • 1
  • 24
  • 33
-1

If you are talking about securing a database against an SQL injection you may want to look here

Community
  • 1
  • 1
Hans
  • 2,354
  • 3
  • 25
  • 35