I've used strip_tags, is there a better way to secure this query? the value will always be numeric,

It's being displayed like this http://www.somesite.com/listing.php?id=5
The id will always be a different number not always 5 depending on the listing

$sql = "SELECT * FROM listings where id=" . strip_tags($id) . "";

I found this a month or two ago:

addcslashes($id, "\x00\n\r\'\x1a\x3c\x3e\x25");

Can't remember what it prevents from being entered. Just recall that it was pretty secure when it comes to preventing SQL injection.

$Escaped = mysql_real_escape($String);

or

$Escaped = mysqli_real_escape($Connector, $String);

(Depending on connector used)

Either use the ingenious function like is_numeric() which checks if certain data (like an id in a url) is a number or use type-casting which will convert it to one no matter what.

Also, the mysql_real_escape_string() function was made for a reason.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.