0

Possible Duplicate:
Best way to stop SQL Injection in PHP

I am curious what is the best way to prevent SQL injections through URL parameters - for example if the user visited http://mydomain.com/info.php?id='50

I am told the above URL with the parameter can allowed Brutal SQL injections, so what exactly is the best way of preventing this from happening?

Would sending the user to an error page when "or die" takes place prevent these SQL injection?

Community
  • 1
  • 1
Alex Saidani
  • 1,277
  • 2
  • 16
  • 31
  • 3
    Have you seen http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php ? Same question, just with `$_POST` instead of `$_GET` - the principle is the same though. – Sean Vieira Oct 26 '11 at 02:33
  • [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Oct 26 '11 at 02:36
  • 1
    [http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/](http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/) – Will Oct 26 '11 at 02:36
  • @Sean Vieira, thanks for the link, I loled on second answer. – Dejan Marjanović Oct 26 '11 at 02:45

2 Answers2

1

You should take a look at OWASP SQL Injection Prevention Cheat Sheet https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet.

Michael Hidalgo
  • 197
  • 3
  • 13
0
$id = (string) $_GET['id'];

if(ctype_digit($id) === false)
{
    echo 'You wanted to try brutal SQL injection! You will die now!';
    die();
}

That depends on number of situations, so provide clearer question.

Dejan Marjanović
  • 19,244
  • 7
  • 52
  • 66