dpikoto468637 2014-07-28 10:54
浏览 89
已采纳

我正确使用FILTER_VALIDATE_INT + FILTER_SANITIZE_NUMBER_INT吗?

Trying to validate and then sanitize $_GET requests. I just want to see if I am missing anything.

Here is what I have...

if (isset($_GET['id'])) {
    $id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
        if (!$id) {
           echo 'Error';
           exit();
        }
    $id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
    $getinfo = mysqli_query($link, sprintf("SELECT column1, column2 FROM table WHERE id = '%s'", mysqli_real_escape_string($link, $id)));
        $row = mysqli_fetch_assoc($getinfo);
            if (!$row) {
             echo 'Error';
             exit();
            }
    //execute rest of code
}

Also, I know I should be using PDO and I plan on converting everything to that at some point, but I want to know I am doing this the right way using mysqli right now.

I guess I'm somewhat confused too...if I'm using FILTER_VALIDATE_INT first, do I even need to use FILTER_SANITIZE_NUMBER_INT afterwards? I'm already checking whether or not it's purely INT...

edit: edited to add error handling for FILTER_VALIDATE_INT.

  • 写回答

1条回答 默认 最新

  • douchuang8359 2014-07-28 11:29
    关注

    Indeed, you do not need that. You either validate, or you sanitise.

    Validation is a binary result, it's either the original value or false.
    Sanitisation always gives you a result, but this may or may not have much to do with the original input. It simply guarantees that you're getting what you ask for, and any input will be squeezed into whatever schema you asked for (here, an integer).

    It doesn't really make sense to use both techniques together.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?