Here’s the code: //check if the starting row variable was passed in the URL

Question

0

Asked: June 1, 20262026-06-01T12:35:18+00:00 2026-06-01T12:35:18+00:00

Here’s the code: //check if the starting row variable was passed in the URL

0

Here’s the code:

  //check if the starting row variable was passed in the URL or not
  if (!isset($_GET['pg']) or !is_numeric($_GET['pg'])) {
 //we give the value of the starting row to 0 because nothing was found in URL
  $startrow = 0;
//otherwise we take the value from the URL
} else {
$startrow = (int)mysql_real_escape_string($_GET['pg']);
}

Whenever I try to add mysql_real_escape_string(); to the $_GET[‘pg’) in the !isset, the code doesn’t execute and i get no error message.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-01T12:35:20+00:00

Don’t cast the pg value to an int. Instead, verify that it contains an integer value, or don’t execute the query. If you didn’t plan on executing a query (which we can’t see), then mysql_real_escape_string() is entirely the wrong tool since it needs a connection.

The appropriate thing to do is validate that the contents of $_GET['pg'] is an integer, not to escape it.

Since is_numeric() will return TRUE for non-integer real numbers, I tend to use ctype_digit() to validate positive integers. If you need the possibility of negative integers as well, you can use ctype_digit(abs($_GET['pg']))

if (!isset($_GET['pg']) or !ctype_digit($_GET['pg'])) {
   // it wasn't an integer
   // initialize to your default value
}
else {
  // $_GET['pg'] *has to be a valid int* or we wouldn't have entered the else block
  // no need to escape or further process it - it's safe to use
}

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Here’s the code: //check if the starting row variable was passed in the URL

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply