Basically I have to create a website for this community project our class in school is doing. It is coded in entirely php and html because I hate writing javascript. Cut to the chase, there is a photo gallery and a semi-secret log in that you can log into for a single session to upload pictures. The upload itself I believe is pretty secure I believe.
But to the main point, the gallery uses get to filter through the pages. Here is a sample code
$page = $_GET['page'];
if((preg_match('/[^0-9]/',$page)) || ($page > $pages)) {
echo 'Invalid operation on variable: PAGE';
exit;
}
if($page == null) $page = 1;
$glob = glob('images/thumb_*.jpg');
$count = count($glob);
$pages = ceil($count / 16);
$c = $page * 16;
for($x=0;$x<4;++$x) {
echo'<tr>';
for($z=0;$z<4;++$z) {
echo'<td width="25%" height="110"><a href="view.php?image='.sibstr($glob[$c],13) .'.jpg"><img src="'.$glob[$c].'.jpg" height="110" /></a></td>';
++$c;
}
echo'</tr>';
}
Before you pounce on me for the 'what if it isn't set' thing. I will change that when I go to move this website into production. Basically it loads all of the picture names into an array and loops through them via page number and displays them in a table. I am doing it this way because when it is all set in done there won't be thousands of pictures. But how will the performance stack up when there is a couple hundred?
Point 2:
The SSO login basically is a form that posts to itself and then if the forms are correct in regards to username and password it will create a session and redirect to the upload page.
What would be the best way to sanitize those forums? I trying mysql_real_escape_string but the function doesn't exist. Can I just preg_replace all non digit and letters out?
And for one more thing I use a $_GET to display an image, like ?image=2.jpg.
What would be the best way to cleanse those? I tried google, but I get a lot of outdated pages.