Im using the following code
$query = "SELECT * FROM raids WHERE RaidNum = '".$_GET["RaidNum"]."'";
which catches from /raiddisplay.php?RaidNum=r75
My question is this entirely safe? can the value be exploited in some way to do something nasty and is there ways in which you can cleanse it. I tried to lookup up example usage of it but most were horribly complex and i really didn’t know where to start with it. Basically i want to make sure that somebody doesn’t purposely put in a value into the browser address bar that could have nasty adverse effects
It is entirely not safe. Let’s assume I visited
/raiddisplay.php?RaidNum=';drop%20table%20raids;--, then I would effectively drop your table instead of reading a record.The best solution is to use
prepared statements. Some may suggest to use mysql_real_escape_string, but even that is old and cumbersome. Although it is safe in itself, you must remember to always apply it. Using prepared statements with parameters or use a library that creates the statements for you, you are always safe.I think the easiest way to use this feature, is to use PDO, or PHP Data Objects.