I am a php security noob. I have two things on my website where I query my database (that only contains information about the pages that make up my website, such as title, keywords,...)
a) I dynamically create the menus. I pass a variable via the url and then scoop it up and use it in a query, like so:
User clicks on subpage.php?someid=12
I query the database:
if(isset($_GET["someid"])) {
if (preg_match('/[0-9]+/', $_GET["someid"])) {
$input = mysqli_real_escape_string($connect, $_GET["someid"]);
$sql_3 = "SELECT link, title FROM pages WHERE parent_page = ".$input."";
Is this safe enough?
b) I have a little keyword search. My database table contains a text-field with keywords. The user can enter a couple of keywords into an input field and then I query the database:
if(isset($_POST["keywords"])) {
if (preg_match('/^([a-zA-Z\-0-9]+(?:\s|$))+$/', $_POST["keywords"])) {
$input = mysqli_real_escape_string($connect, $_POST["keywords"]);
$sql_8 = 'SELECT id FROM pages WHERE match(keywords) against ("'.$input.'")';
Is this safe enough?
Thanks for tips and help!