php - SQL Injection Prevention - GET_VARS -
i have url, when valid this:
site.com/page.php?id=12345
i'm trying understand if we're vunderable sql injection. in particular instance, value should positive integer value, since it's id number. use other variables letter, or string of text, example, search results pages.
an example of code used extract id variable here:
$variable = "0"; if (isset($http_get_vars["id"])) { $variable = (get_magic_quotes_gpc()) ? $http_get_vars["id"] : addslashes($http_get_vars["id"]); }
in instances of getting variable url, approached way.
is doing prevent sql injections?
should using mysql_real_escape_string?
i've been reading prepared statements, seems daunting , use these variables on place on site lot of pages , queries. going through , replacing them isn't viable in short or mid term.
if there alternative way go validating data without prepared statements, advice appreciated.
thanks in advance.
is doing prevent sql injections?
no.
should using mysql_real_escape_string?
no.
if there alternative way.
no.
every way require rewriting of code - way or another.
however, choice yours.
if site's value doesn't worth efforts required rewrite - well, keep is.
if value high - try hire job example.
Comments
Post a Comment