Home/ Questions/Q 8500675
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T01:00:37+00:00

I’m creating a basic blog and I’m using the following code. It’s collecting the

  • 0

I’m creating a basic blog and I’m using the following code.

It’s collecting the id (always a number) from the url and before I use, I wondered if anyone could check the security of the code and let me know if its ok?

I really don’t want any injections, etc, and I want to keep it as much secured as possible.

<?php
    if(is_numeric($_GET['id']) && $_GET['id'] > 0){

        include("connectionfile.php");

        $ia = intval($_GET['id']);
        $ib = mysql_real_escape_string($ia);
        $ic = strip_tags($ib);

        $qProfile = "SELECT * FROM #### WHERE id='$ic'  ";
        $rsProfile = mysql_query($qProfile);
        $row = mysql_fetch_array($rsProfile);
        extract($row);
        $title = trim($title);
        $post = trim($post);
        $date = trim($date);
        mysql_close();
    }else{
       echo 'hack error here';
    }
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    $ia = intval($_GET['id']);
$ib = mysql_real_escape_string($ia);
$ic = strip_tags($ib);

    strip_tags is useless, because it is only relevant in an HTML context. Any one of the other two methods would be sufficient to prevent SQL injection. Generally, just use the appropriate escaping mechanism for the language you’re dealing with. In this case you’re dealing with SQL, so mysql_real_escape_string alone is fine. See The Great Escapism (Or: What You Need To Know To Work With Text Within Text) for a step-by-step approach to escaping.

    Better yet, learn PDO with prepared statements instead of the deprecated mysql_ functions, which solves the issue of SQL injection much better.

    • 0