Preventing SQL Injections + Being able to fetch an Array

[Mko]

Basically, I have the following code ($c2 is my connection variable):

$rid = $_GET['id'];
$q = mysql_query("SELECT * FROM reports WHERE id = $rid", $c2) or die(mysql_error());
$report = mysql_fetch_array($q);

 

$report is used later on to gather more information that is outputted to the user.

 

However, if in the URL, someone were to put id=1', they would have an error message spit out to them (something along the lines of: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1), indicating a SQL Injection exploit.

 

How would I go about fixing this, and also preventing SQL Injection?

 

Thanks a bunch,

Mark

[Psycho]

I assume the id should be an integer. So, just force it to be one

$rid = (int) $_GET['id'];

[Mko]

I assume the id should be an integer. So, just force it to be one

$rid = (int) $_GET['id'];

That works! Silly me for forgetting about that, thanks again

[samshel]

die(mysql_error()) is an extremely useful tool for debugging, however i would not use it on production code. Once everything is fixed, i would handle it more efficiently like passing the error to user defined function, which logs/mails you and redirects user to more user friendly error message.

 

Showing half baked queries and error messages to the user is shabby and insecure especially to "Open to Public" websites.

 

PS: You still need to handle the errors