Using is_numeric for form validation

StackOverflow https://stackoverflow.com/questions/17253151

  •  01-06-2022
  •  | 
  •  

Question

I have some links structured as follows...

http://domain.com?problem_id=23&course_id=4

The expected values from the GET "fields" (problem_id and course_id) are to be integers. Can I validate this data by simply saying...

if (is_numeric($_GET['problem_id'])){
   //It's safe, so do stuff.
} else {
   echo 'It appears you submitted a problem incorrectly.  Please contact us for assistance';
   exit;
}

Or is this still open to nastiness like sql injection, etc.?

PROPOSED SOLUTION

$int_problem_id = (int) $_GET['problem_id'];
if (ctype_digit($int_problem_id)){
   //It's safe, so do stuff.
} else {
   echo 'It appears you submitted a problem incorrectly.  Please contact us for assistance';
   exit;
}
Was it helpful?

Solution

Yes, it is a solution. Also, you can additionally cast to int.

$integer = (int) $_GET['problem_id'] ;

You should secure all the input for your database even though numeric values will do no harm as they do not contain special symbols.

OTHER TIPS

You would have ensured that ?problem_id= is numeric. All of your other fields may still be at risk though, so this isn't the proper way of securing against SQL injection. You should look into PDO and MySQLi, and their bindParam/bind_params functions.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top