CODEWITHSUNDEEP
phpmysql
EvilNabster
EvilNabster

Reputation: 516

Secure $_GET & mysql usage?

So I am trying to make some sort of page with stories for example

if(!empty($_GET['page']) && ctype_digit($_GET['page'])) {
    $id = mysql_escape_string($_GET['page']); //in case ctype_digit didnt work well.
    $pDatabase = Database::getInstance();
    $query = "SELECT * FROM stories WHERE id = '$id'";
    $result = $pDatabase->query($query) or die('Query failed: ' . mysql_error());
    if(mysql_num_rows($result) >0){
        //displaying current story
    }
    else {
        header('Location: ' . $_SERVER['HTTP_REFERER']);
    }
}
else {
    //Show all short stories
}

I want to make sure it is completely safe using $_GET method and mysql query this way , if its not please tell what will be better in this case. Also another thing that bothers me is that I use the query all the time , is it right or should I have some function that would preread all database info before even site launched ? I Mean , what if I want to store Tags or site Title in the Database? Will it be wrong executing (mysql query) title and tags of every page within every page load?

Upvotes: 0

Views: 80

Answers (1)

user3758531
user3758531

Reputation:

You should not be using MySQL functions built in to PHP, because they are deprecated. Use MySQLi or PDO and learn about prepared statements. I will start by guiding you in the right direction. Trust me, it is worth your time to worry about this, because not using prepared statements could increase chances of SQL injection.

MySQLi - http://php.net/manual/en/intro.mysqli.php

More about prepared statements with MySQLi - http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

PDO - http://www.php.net/manual/en/intro.pdo.php

More about prepared statements with PDO - http://www.php.net/manual/en/pdo.prepared-statements.php

Upvotes: 2

Related Questions