pagination security problems

Forum Moderators: coopster

Message Too Old, No Replies

pagination security problems

kkonline

9:40 am on Aug 24, 2007 (gmt 0)

Below is an extract of my pagination script
If?page=123 then page=123 then it's ok
But when i write?page=<---something else---> It should print invalid query
but just gives me a blank page.

what should i do so that only a number is valid; to prevent the security attacks
and if?page=34.365 then also it should be invalid.

[php]
if(!isset($_GET['page'])){
$page = 1;
}
else {
if(is_numeric($_GET['page']))
{
$page=trim(mysql_real_escape_string($_GET['page']));
}
else
{
echo "invalid query";
exit;
}

}[/php]

d40sithui

12:07 pm on Aug 24, 2007 (gmt 0)

data retrieved from the super globals will always be strings.

is_numeric will check if it is...well numeric, whether float or int.
is_int will not work, as it will see the $page as a string.

what you can do is type cast the $page var to make it int. doing so will round your $page to an intege. if $page is not a number ( a letter or special char), typcasting int will makle $page a zero.

<?
$page = (int)$_GET['page'];
if(empty($page) ¦¦ $page <=0){
$page = 1;
}
?>