Filtering Database Between a Max and Min with decimals

I am looking for a secure php / sql statement to filter a database between a min and max number

i want to make sure and doesn't deliver errors if a person does or does not use a decimal and if they enter a higher number for min

thanks!

 

http://www.php.net/is_numeric will check the inputs are numeric for you. If you don't do, echo mysql_error(); in your code, the user would never see the SQL errors (if any).

Jay

 

is that sufficient to inject into a sql query

what would be the proper query?

 

Something like ...

$min = 123.45;
$max = 567.89;

$min = mysql_real_escape_string($min);
$max = mysql_real_escape_string($max);
$query = "SELECT * FROM `table` WHERE `min` > $min AND `max` < $max";
$result = mysql_query($query);
// ... Continue processing here ...

PHP:

Jay

 

should i use is_numeric with that?

 

If you want to test the data before you query the database with it, yes.

Jay

 

sorry i mean, where should i use is_numeric in the script above?

 

After the values for $min and $max have been set, before mysql_real_escape_string.

Jay

 

$min = 123.45;
$max = 567.89;

if(is_numeric($min) && is_numeric($max))
{
    $query = "SELECT * FROM `table` WHERE `min` > $min AND `max` < $max";
    $result = mysql_query($query);
    // ... Continue processing here ...
}else{
    //ERROR CODE TO GO HERE
}

PHP:

NOTE: If you use is_numeric() on the two values you will not need to escape the data with mysql_real_escape_string()