how to protect $_GET["act"] - php ?

[mekha]

hi guys,i have this link:xxxxxxx.com/form.php?act=addhow do i protect the $_GET["act"]; ?i tryed:$mysqli->real_escape_string($_GET["act"]);and when i write:xxxxxxx.com/form.php?act=add""""there is problems in the page....i tryed too:mysql_real_escape_string($_GET["act"]);and there is php errors...variables undefined....how can i protect $_GET["act"]?

[Ingolme]

$_GET['act'] is undefined if there is no "act" in the URL.Check that it's set using isset()

[mekha]

there is act in the url....but adter:act=addif i add a quote ("),like this:act=add'its not work!...i did the check (isset)

[Ingolme]

I don't have enough information to determine the problem. Are you getting any error messages?

[mekha]

yes!....when i write ( ' ) after the urlli get undefined variables.... because off: act=add moved to be: act=add'so ... add' .. is undefined

[justsomeguy]

"add'" is not a variable, it is a value. $_GET['act'] is the variable. Maybe you should show your code and paste the error message.

[mekha]

this is my code:

$act = array('add', 'edit', 'delete');if (isset($_GET['act']) && (in_array($_GET['act'], $act))){    $act = $mysqli->real_escape_string($_GET["act"]);}

and the problem is :

( ! ) Notice: Undefined variable: foldpath in C:\wamp\www\ishort\folders\form.php on line 96

this problem is only when i write the url: form.php?act=add'but if: form.php?act=addthere is no problems

[thescientist]

don't see where foldpath comes from, but I would not put the extra quote after add then. seems simple enough.

[mekha]

if($act=="edit"){$folderid = (int)$_GET["id"];$sql2 = getfolderbyId();if ($result2 = $mysqli->prepare($sql2)){$result2->bind_param("i",$folderid);$result2->execute();$result2->store_result();$rowsZ2 = $result2->num_rows;}if($rowsZ2>0){$row2 = fetch($result2);}$foldername = $row2[0]["fold_name"];$foldpath = $row2[0]["fold_path"];$foldpic = $row2[0]["fold_pic"];}if($act=="add"){$foldername="";$foldpath="";$foldpic="";}

[mekha]

but if someone else (moderator for example), in mistake added the extra quote ?....i need to protect this :S...for example:if the $_GET us a number...i use (int) before...and the extra quote has no effects on the url and the php codes...so i need to protect strings to

[Ingolme]

Using bind_param() already protects all data types. But if you're using an ordinary query, real_escape_string works. The problem is that you need to define "foldpath" outside of any if() conditions. Give it a default value.

[justsomeguy]

It's probably more useful to give $act a default value. You set $act to be an array first, then check if $_GET['act'] is in that array, then set $act to be the value of $_GET['act'] if it's in the array. Use a different name for the array, and set $act to a default value like an empty string. This problem has nothing to do with quotes, the problem is that the value in $_GET['act'] is not in the array and your code fails to account for the case when $_GET['act'] is not one of the values in the array. You would see the same thing if $_GET['act'] was set to any other value not in the array, this doesn't only happen with quotes. You need to set a default value for $act and change your code to account for the case where $_GET['act'] is not in the list of accepted values.