Simple GET validation

Question

I have GET[] input and would like to carry out their validation. The input data is always a number by. Schema. I want to make sure that the pass number and the appropriate amount - not to throw the sql query.

at this moment I am using the procedures

$cc = $_GET['cc'];
if ($cc=='') $cc='9012';$find=array("..", "/", "\\");
$replace=array("", "", "");
$cc=str_replace($find, $replace, $cc);

$eic = $_GET['eic']; 
.... ect.

// where f.ex. 9012 is an real existing data (in dbase) to generate sucure sql question

GET[] variable data schema

$_GET[$cc] - always 4 digits
$_GET[$eic] - always 4 digits
$_GET[$iy] - always 4 digits
$_GET[$ir] - always 1 digit

Can you show me a better way to secure my GET?

Answer 1

change in the number of digits in a variable crashes Query

Well, the whole point of validation is that you "validate" data and don't even bother disturbing your SQL database in case the data has not been validated. Why would you bother executing a query which you know to be invalid?

I don't really agree with using intval() for validation. With intval(), you're forcefully changing the value inputted by the user, which is not really validation. A better method would be to use is_int() instead.

For security? Nothing beats "Prepared Statements"

http://php.net/manual/en/pdo.prepared-statements.php

Answer 2

You can force numeric values by using intval(). You can't, however, represent values with a leading 0 like 0123 using this method.

If you don't have values with leading zeros use this:

<?php
    $_GET['cc'] = intval($_GET['cc']);
    strlen($_GET['cc']) == 4 ? $_GET['cc'] : $_GET['cc'] = 0; // Replace 0 with default/error value

    // Repeat the steps above for all parameters...
?>

Answer 3

If the query you're getting is always a digit you can use the intval() function in PHP to make sure its an int.

$eic = intval($_GET['eic']);

http://php.net/manual/en/function.intval.php