I want to write a form that will filter a database table. My two inputs are min_price and max_price I need the table to filter using GET variable so my visitors can bookmark the results. however , i notice if I type randomness into my URL then i get a sql error what can i do to validate these too inputs? also make where if nothing is entered it still works? but most off all not allow errors if someone malicously messes with URL
http://forums.digitalpoint.com/showthread.php?t=445907 And do that on ALL variables you put in your query strings.
that prevents sql injections but if i expect my url to be ?min_price=0.1&max_price=2.3 then someone comes in and enters ?min_price=abadabdo&max_price=2.3 it is breaking my conditions and showing the error with all my server info
Yes, because you're allowing strings where only float values should be allowed. If you convert the input to what it should be, there won't be errors. $_GET['min_price'] = floatval($_GET['min_price']); PHP: http://www.php.net/floatval
oooh thats cool, so that will knock out all text etc will it still alllow a number with no decimal, i wish there was an "only allow values that exist in database"
Absolutely. If they type "min_price=abadabdo", it will convert that to "0". However, instead of using that directly in your database query, one solution would be to use is_numeric on each of the min_price and max_price. If it's false, just don't add that to the sql WHERE statement. This would also allow the user to just enter a minimum, maximum, or neither price (which would show all results from the database). Off the top of my head... $sql = "SELECT * FROM Products WHERE (...blah blah...)"; // Add price check if (isset($_GET['min_price']) && is_numeric($_GET['min_price'])) { $sql .= " AND Price >= " . floatval($_GET['min_price']); } if (isset($_GET['max_price']) && is_numeric($_GET['max_price'])) { $sql .= " AND Price <= " . floatval($_GET['max_price']); } $result = mysql_query($sql); PHP:
just for clarification and i do thank you so much if they type something like alsjfas in to min_result it would return zero if they type asdfsafda into max_result i would want it to return NOT ZERO point is I would rather it not return anything at all if it is not a float so it would pull up all results also what would happen if htye put a higher number in for the min rather than max