leegold2
Technical User
- Oct 10, 2004
- 116
Below is a line of PHP code I'm using that is making me nervous. I want to ask what I can do in the target PHP file (details.php) to make sure nothing evil is done to me, Below I cite the one line in question:
$d_content_cut = $d_content.'...<a STYLE="color:goldenrod; border-bottom: 2px solid;" href=details.php?id='.$pg_id.'&Type_view=detail&Type_Submit='.$Type_Submit.'&key_word='.urlencode($highlight).'>more</a>';
Here's more info,
- $d_content_cut appears in a html table as some text with a link tagged on at the end of this text (as you can see). Click the link and you'll see more detail on that particular item on a new page called details.php.
- I'm doing a "GET".
- id='.$pg_id This is the primary key for the MYSQL DB item. It's an integer and I put it in a SELECT statement with mysql_query to get the record I need to show.
- &Type_view=detail&Type_Submit='.$Type_Submit These are data I need to properly process the detail page. I hard code "detail" cause I know if I am doing a GET from this stage in my code it's gotta be "detail", The var $Type_Submit can be one of four (4) strings - so at least I know if it's not one of those 4 it's bogus.
- '&key_word='.urlencode($highlight).'>more</a>'; $highlight could be anything because it's what the user entered as search keywords. Yes, I escaped it when I did searched in MYSQL, but in a GET a user could change it, couldn't they(?). I need to pass it along in the GET.
So what could I esp. in details.php where I process this GET, to make sure evil is not done to me?
Thanks sincerely.
$d_content_cut = $d_content.'...<a STYLE="color:goldenrod; border-bottom: 2px solid;" href=details.php?id='.$pg_id.'&Type_view=detail&Type_Submit='.$Type_Submit.'&key_word='.urlencode($highlight).'>more</a>';
Here's more info,
- $d_content_cut appears in a html table as some text with a link tagged on at the end of this text (as you can see). Click the link and you'll see more detail on that particular item on a new page called details.php.
- I'm doing a "GET".
- id='.$pg_id This is the primary key for the MYSQL DB item. It's an integer and I put it in a SELECT statement with mysql_query to get the record I need to show.
- &Type_view=detail&Type_Submit='.$Type_Submit These are data I need to properly process the detail page. I hard code "detail" cause I know if I am doing a GET from this stage in my code it's gotta be "detail", The var $Type_Submit can be one of four (4) strings - so at least I know if it's not one of those 4 it's bogus.
- '&key_word='.urlencode($highlight).'>more</a>'; $highlight could be anything because it's what the user entered as search keywords. Yes, I escaped it when I did searched in MYSQL, but in a GET a user could change it, couldn't they(?). I need to pass it along in the GET.
So what could I esp. in details.php where I process this GET, to make sure evil is not done to me?
Thanks sincerely.