CODEWITHSUNDEEP
phppagination
Philip Sant'Anna
Philip Sant'Anna

Reputation: 41

Problems with pagination [PHP & is_numeric]

I gave a pagination issue:

$num_por_pagina = 5; 
$paginac = $_GET[paginac]; 
if (!$paginac) {
   $paginac = 1;
}

I would like to take only integers numbers to avoid PHP / SQL injection

For example accessing:

http://www.mysite.com/index.php?paginac=3.3 or http://www.mysite.com/index.php?paginac=3,3

Resulting You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '4.6, 2' at line 7

From:

accessing www.mysite.com/index.php?paginac=3.3 or www.mysite.com/index.php?paginac=3,3

Resulting error, this page isn't active.

Upvotes: 3

Views: 177

Answers (5)

phant0m
phant0m

Reputation: 16905

If you know you're going to receive a number (or should for that matter), you can cast it as a first line of defense: 

$paginac = (int) $_GET['page'];

page represents a constant. You should use quotes for the key.

If you receive non-numeric string, you will simply request page 0 instead.

Second, you will want to read up about how to prevent injections properly, rather than just using some hacks to get it right most of the time.

Upvotes: 1

voodoo417
voodoo417

Reputation: 12101

try 

$paginac = intval($_GET[paginac]);

Upvotes: 1

amitchhajer
amitchhajer

Reputation: 12830

Missing quotes

$paginac = $_GET["paginac"];

also

www.mysite.com/index.php?page=3.3

you are passing "page" as get parameter, catch that parameter and not "paginac"

$paginac = $_GET["page"];

If you are getting error in mysql, please post code of that too.

Upvotes: 1

williamvicary
williamvicary

Reputation: 805

I would do something like this:

if ($paginac < 2)
{
    $paginac = 1;
}

PHP will cast the variable to 1 if it's a string anyway, so this method will cast any text to 1 and also help against negative numbers

Upvotes: -1

Matt
Matt

Reputation: 7040

It looks as though your test for is_numeric() is still allowing the SQL statement to be written and executed, which is throwing your error.

Make sure that if the GET variable is not numeric that the query does not execute.

Also, use quotes when accessing associative array indices. If you're passing paginac through get:

$paginac = $_GET['paginac'];

If you're passing page through get:

$paginac = $_GET['page'];

Upvotes: 0

Related Questions