1

I'm using php and mysql. When a user clicks submit button the GET query string is like this:

http://mywebsite.com/category/section?article=1

And I query like this:

"SELECT * FROM article WHERE art_id='$article' "

art_id is an int(11) datatype but it accepts a value with letters if I have the correct number as prefix like : http://mywebsite.com/category/section?article=1asd. If I pass all letters (?article=asd) it won't accept but if I pass a number with letter (?article=12asd) it does accept and returns the article with art_id of 12. How can I prevent this?

I've tried it directly on MySQL command line client and it accepts the value with letters in it.

Improve this question
1
  • Just remove the single quotes around the variable in the statement art_id='$article' Commented Mar 15, 2014 at 4:26

3 Answers 3

Reset to default
5

You can check in your code by if condition:

You can check your GET variable 'article' before passing into mysql query to prevent the issue you are facing:
solution 1: if(is_numeric($_GET['article'])){your query}
solution 2: intval($_GET['article']);//cast the variable and then pass into query
solution 3: if(is_int($_GET['article'])){your query}

Hope these solutions work for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

In your table change int(11) to varchar(11) provided it is not a PK ..In this scnerio you can include variable charecters

Improve this answer

Comments

0

The solution is: If(isset($_GET['article']) && (is_numeric($_GET['article'])){your query} // Add isset function for unset viarables and is_numeric function numeric validation. Good luck!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.