Protect from changing id=

I'm wondering if anyone can help me protect the following script from someone changing the id= and any other type of mysql injection. Thanks
<?php
	include "dbaptsConfig.php";
	include "searchaptsstyle.css";
	// test id, you need to replace this with whatever id you want the result from
	$id = $_GET['id'];
		
	// what you want to ask the db
	$query = "SELECT * FROM `apartments` WHERE `id` = $id";
	
	// actually asking the db
	$res = mysql_query($query, $ms);
		
	// recieving the answer from the db	(you can only use this line if there is always only one result, otherwise will give error)	
	$result = mysql_fetch_assoc($res);

	// if you uncomment the next line it prints out the whole result as an array (prints out the image as weird characters)
	// print_r($result);		

	// print out specific information (not the whole array)			
  	echo "<br/>";
	echo "<div id='title'><div align='center'>".$result['title']."<br/></div>";
	echo "<br/>";
  	echo "<div id='description'><div align='center'>".$result['description']."<br /></div>"; 
	echo "<br/>";
	echo "<div id='table'><div align='left'><tr>"; 	
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider's Phone Number: ".$result['phone']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider: ".$result['service']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Borough: ".$result['county']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Town: ".$result['town']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bedrooms: ".$result['rooms']."</td>";
	echo "<td>&nbsp;&nbsp;&nbsp;</td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bathrooms: ".$result['bath']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Square Footage: ".$result['square']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Rent: ".$result['rent']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Listed On: ".$result['time']."<br /></td>";
	echo "<br/>";
	echo "Click on Images to Enlarge";
	echo "</tr></div>";

?><?php
	include "dbaptsConfig.php";
	include "searchaptsstyle.css";
	// test id, you need to replace this with whatever id you want the result from
	$id = $_GET['id'];
		
	// what you want to ask the db
	$query = "SELECT * FROM `apartments` WHERE `id` = $id";
	
	// actually asking the db
	$res = mysql_query($query, $ms);
		
	// recieving the answer from the db	(you can only use this line if there is always only one result, otherwise will give error)	
	$result = mysql_fetch_assoc($res);

	// if you uncomment the next line it prints out the whole result as an array (prints out the image as weird characters)
	// print_r($result);		

	// print out specific information (not the whole array)			
  	echo "<br/>";
	echo "<div id='title'><div align='center'>".$result['title']."<br/></div>";
	echo "<br/>";
  	echo "<div id='description'><div align='center'>".$result['description']."<br /></div>"; 
	echo "<br/>";
	echo "<div id='table'><div align='left'><tr>"; 	
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider's Phone Number: ".$result['phone']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider: ".$result['service']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Borough: ".$result['county']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Town: ".$result['town']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bedrooms: ".$result['rooms']."</td>";
	echo "<td>&nbsp;&nbsp;&nbsp;</td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bathrooms: ".$result['bath']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Square Footage: ".$result['square']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Rent: ".$result['rent']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Listed On: ".$result['time']."<br /></td>";
	echo "<br/>";
	echo "Click on Images to Enlarge";
	echo "</tr></div>";

?>

Open in new window

genesisvhAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
First thing is what kind of variable is $id?  If it is a number in a known range, then it can only be a certain size in a string.  You can do simple things like
$id = substr($id, 0,5);
which eliminates all but the first 5 characters and then check the range with something like
if($id < 10 || $id > 99999) exit;

"mysql_real_escape_string" is good for more complicated data.  http://us2.php.net/manual/en/function.mysql-real-escape-string.php

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
genesisvhAuthor Commented:
$id is the unique id for the database and its a number.

Could I just insert it like this

$id = $_GET['id'];
if($id < 10 || $id > 99999) exit;

Thanks.
Dave BaldwinFixer of ProblemsCommented:
You could but it might just take the first thing that looks like a number to compare against and still leave a string after it that could compromise your database.  Remember that a ';' is the end of a statement in MySQL so if $id is a string like "11;DELETE FROM apartments;", it will erase all of the rows in your table.
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

p_nutsCommented:
With id it's fairly simple.

Check if it's an int.
Mostly I would escape the characters as pointed out in the first answer.

to check if its an int just use

If(is_int($var))
Echo "it is an int";
Else
Echo "not int";
Lukasz ChmielewskiCommented:
What Dave said is true, but fortunately mysql does not allow to run two queries with one go.
I think that there is not a 100% way of doing this, because the user can just "shot" at existing id in get variable and retrieve the data.
genesisvhAuthor Commented:
I have to split the points, but all these answers are great. Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.