Topic: Protection at date transmission on GET.
I on pages of the site do pass of several variables on GET, that is in URL...?aa=3&bb=4&cd=100
Value of variables is defined either the program or actions of the user, but the user anywhere does not enter anything, only selects the link-picture (value of variables thus changes). Variables only numerical and their size from 0 to 100, i.e. no more than 3 characters.
1 : how to me normally to be protected from any SQL-injections, etc.?
I rummaged on the Internet and while decided to make so:
1) All variables coming on GET undertake through mysql_real_escape_string ();
2) Then variables transit through htmlspecialchars ();
3) Then variables transit through htmlentities ();
4) Then I check variables for the length strlen (). Check: if there are more than 3 characters the variable is equal NULL.
5) Can be to make also check for the size URL. If too big, the user something means entered independently and all variables to equate NULL.
2 : whether normal this protection?
IN ADDITION : At me users enter nothing, only click on different pictures-references, values of variables are as a result formed. But at line URL somebody can import something in addition. On pages of my site in code PHP there are requests to basis MYSQL of type: $zapros=mysql_query ("SELECT * FROM aaa WHERE bb ='cc '); or UPDATE.