Filtering/typecasting data: when to do this?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Filtering/typecasting data: when to do this?

Post by Technical »

Filters can really slow down performance, so it's very important to know when use them.

Should I filter data that(excluding HTTP received of course, which I always filter):

1) Received from database
2) Passed as function arguments
3) Going to be saved into database
4) Received from objects
5) Going to be displayed to user
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: Filtering/typecasting data: when to do this?

Post by Jenk »

3 and 5.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Filtering/typecasting data: when to do this?

Post by VladSun »

I have a simple rule - every time data has to be put into a different "media" (e.g. DB, file, HTML display, XML display, etc.) (I call it "target context") an appropriate (best case - a tool provided by the "media" itself like *sql_real_escape, htmlentities, etc.) filtering/escaping/whatever-you-call-it should be done.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Re: Filtering/typecasting data: when to do this?

Post by Technical »

Thanks for the replies.

Should I typecast data received from database?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Filtering/typecasting data: when to do this?

Post by matthijs »

The most important thing is that you understand why data needs to be filtered/escaped in each change of context. For example, if you have a user submitted string of text. That can contain quotes ( ' ) which can break (intentionally or not) the sql queries you run. So you escape them on putting them in the db.

Or a string of text, being retrieved from a db and shown in HTML. So the context becomes HTML, which means some things are/can be suddenly dangerous/unwanted. So you html escape or filter out unwanted HTML.

An important thing is to define correctly and make the distinction between filtering, validating and escaping. Those terms are often used wrongly or differently. In my definition, with filtering, you remove/change something. With escaping, you don't do that. You only make sure some data cannot cause problem when changing context (like when you use mysql_real_escape_string)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Filtering/typecasting data: when to do this?

Post by VladSun »

Technical wrote:Should I typecast data received from database?
Well, even if DB "driver" supports PHP types, a "nullable" column value will break it.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Re: Filtering/typecasting data: when to do this?

Post by Technical »

VladSun wrote:
Technical wrote:Should I typecast data received from database?
Well, even if DB "driver" supports PHP types, a "nullable" column value will break it.
Sorry, my mistake.
I just found strange thing: SQLite allows you to store string in integer column if it's not a primary key. So than forced me to put intval() in my code to ensure I'll work with numeric value.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Filtering/typecasting data: when to do this?

Post by josh »

If a user input field should only contain numeric data, it should be filtered upon the form submission, and rejected if it doesn't validate (giving the user the opportunity to replace the value with a valid one)
User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Re: Filtering/typecasting data: when to do this?

Post by Technical »

josh wrote:If a user input field should only contain numeric data, it should be filtered upon the form submission, and rejected if it doesn't validate (giving the user the opportunity to replace the value with a valid one)
Yes, as I've stated, I always filter HTTP-received data.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Filtering/typecasting data: when to do this?

Post by Christopher »

I don't filter for any of your five points.

I think my rule is: filter data that comes from a external source (e.g. HTTP Request or data feed) and escape data that goes to an external source (e.g. database or HTTP Response).
(#10850)
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Filtering/typecasting data: when to do this?

Post by josh »

@Technical Filtering is the process of altering or changing data, for example escaping quotes. It is no substitute for validating your data!! (I even mixed up the two terms in my last post, just setting the record straight). You should always filter+validate your data.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Filtering/typecasting data: when to do this?

Post by Christopher »

I didn't get into validation because it was not part of the topic -- it is also important. Both filtering and escaping are names for altering/changing data. But those words are used for different things and @technical nitpicking just muddies those useful meanings.
(#10850)
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Filtering/typecasting data: when to do this?

Post by matthijs »

My definitions of the three are

Code: Select all

// Filter something:
$x = 'abc123';
$y = filter($x);
$y is 'abc'; // the result is that unwanted stuff is filtered out

Code: Select all

// Validate something
$x = 'abc123';
$y = validate($x);
$y is bool true false; // the result is a yes/no answer to the question "Is this piece of data valid?

Code: Select all

// Escape something
$x = 'O'reilly';
$y = escape($x);
$db->insert($y);
$y is now inside the database as O'reilly, but the quote didn't cause any problems

Code: Select all

Or in case something is output as HTML
$x = 'some & thing';
$y = htmlentities($x);
echo $y; // outputs 'some & thing' in the source, but 'some & thing is displayed to the user
User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Re: Filtering/typecasting data: when to do this?

Post by Technical »

Okay, okay, seems that discussion went wrong way.
I'm not asking how to filter/validate, I'm asking what data should I filter/validate. Look at the first post, I wrote a list of options.

My second question was about forced typecasting. I meant, should I use intval(), floatval(), strval() on variables passed as function arguments, database received rows and etc.? Does it hurt performance much?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Filtering/typecasting data: when to do this?

Post by VladSun »

Why would you need this? PHP is "typeless" language. Elaborate please :)
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply