Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it safe to do smth like this in first if on the page ctype_digit(base64_decode(trim($_POST['id']) or i should first create variable inside if and assign trim($_POST['id']) to it because they might have put some crazy thing in it that might overflow base64_decode or ctype_digit for example or i am overemphasizing?
I would say that you are being careful enough by doing that. However, in most cases the correct way to code would be to create a variable, like $id, and assign it the value of your post variable. This is because allot of developers have to work with templates, and as a PHP programmer your task would be to take post / get input and database rows, and make them available to templates as easy to access variables and arrays.
Your example makes your script safe when you are expecting a numerical id. If you are expecting a string, usually to be used in an SQL statement, then you will need to take further steps. Even the cleanest string can be used for SQL injection. That’s where prepared statements should be used.
http://www.php.net/manual/en/mysqli.prepare.php
http://www.php.net/manual/en/class.mysqli-stmt.php