Home/ Questions/Q 305433
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T07:22:23+00:00

<?php $id = intval($_GET[‘id’]); $sql = mysql_query(SELECT username FROM users WHERE id = $id);

  • 0
<?php

$id = intval($_GET['id']);

 $sql = mysql_query("SELECT username FROM users WHERE id = $id");
 $row = mysql_fetch_assoc($sql);

$user = htmlspecialchars($row['username']);

?>

<h1>User:<?php echo $user ?></h1>

Can you see any threats in the above code? Do I have to use htmlspecialchars on everything I output? And should i use is_numeric or intval to check so that the get is numeric?

I’m just building a minimal site. I’m just wondering if the above code is vulnerable to sql injection, xss?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Generally speaking mysql_real_escape_string() is preferred but since it’s a number, intval() is OK. So yes, it looks OK from a security perspective.

    One thing though, on many platforms, ints are limited to 32 bits so if you want to deal in numbers larger than ~2.1 billion then it won’t work. Well, it won’t work how you expect anyway.

    These sorts of security precautions apply to any form of user input including cookies (something many people forget).

    • 0