php code to make it secure

how can i make this code more secure to prevent sql injection
<?php
 
    $db = mysql_connect("localhost","root","$$sshhh...!");
    mysql_select_db("Shipping",$db);
    $id = $HTTP_GET_VARS["id"];
    $qry = "SELECT ccnum FROM cust WHERE id =%$id%";
    $result = mysql_query($qry,$db);
    if ($result) {
        echo mysql_result($result,0,"ccnum");
    } else {
        echo "No result! " . mysql_error();
    }
?>

am try to make validation for id
it is enough or i need to do something else

    $db = mysql_connect("localhost","root","$$sshhh...!");
    mysql_select_db("Shipping",$db);
    $id = $HTTP_GET_VARS["id"];
if (is_int($id)) {
    $qry = "SELECT ccnum FROM cust WHERE id =%$id%";
    $result = mysql_query($qry,$db);
    if ($result) {
        echo mysql_result($result,0,"ccnum");
    } else {
        echo "No result! " . mysql_error();
    }
}
?>
YUYUAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
hernst42Commented:
See http://www.php.net/mysql_real_escape_string
Pass all content from $_GET, $_POST, $_REQUEST, $_COOKIE through mysql_real_escape_string befor using it inside the sql -statement
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
Aaron TomoskySD-WAN SimplifiedCommented:
Is_int will do a good job of preventing anything bad fom happening. When you need to pass strings there are other functions like Stripslashes and htmldecode and many others. Here is a nice little writeup from php.net
http://php.net/manual/en/security.database.sql-injection.php
0
 
Ray PaseurCommented:
The simple mantra is "Accept only known good values."  Think you got an email address?  Use filter_var() and test to see if it is routable.  Think you got a postal address?  Try to secure the geocode information from one of the Yahoo or Google mapping tools.  Think you have a ZIP code or a telephone number?  There are good ways to test.  Use all of these tests, then escape the code with mysql_real_escape_string() and you will likely be safe.
0
 
Mohamed AbowardaSoftware EngineerCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.