Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
This url contains a parameter with text :
my-page.php ?id_article=1&alias=article-name
The result after rewritting is :
1-article-name.php
For id_article parameter, i made this security :
if (isset($_GET[id_article] && $_GET[article] != null && $_GET[id_article] >= 1 && $_GET[id_article] <= 4 && (int) $_GET[id_article])
What can i do for alias parameter which accept text ?
Firstly, does alias get from database?
For your exmple :
The result after rewritting is :
My question is : what do you gonna display in
1-article-name.php, is the content is get from the mysql database?if so, just use
mysql_real_escape_stringto sanitize the alias.Of course, first the alias must not be empty:
and then use
mysql_real_escape_stringDon’t think that:
$_GET,$_POST,$_COOKIE, etc are safe.Please kindly use
mysql_real_escape_stringfunction to sanitize your variables if you embed a string in some SQL targeting MySql, you must escape the string with MySql’s function for this purpose :Use
htmlspecialcharsIf you embed strings within HTML markup, you must escape it with htmlspecialchars. This means that every single echo or print statement should use htmlspecialchars.Good luck.