Filtering/typecasting data: when to do this?
Moderator: General Moderators
Filtering/typecasting data: when to do this?
Filters can really slow down performance, so it's very important to know when use them.
Should I filter data that(excluding HTTP received of course, which I always filter):
1) Received from database
2) Passed as function arguments
3) Going to be saved into database
4) Received from objects
5) Going to be displayed to user
Should I filter data that(excluding HTTP received of course, which I always filter):
1) Received from database
2) Passed as function arguments
3) Going to be saved into database
4) Received from objects
5) Going to be displayed to user
Re: Filtering/typecasting data: when to do this?
I have a simple rule - every time data has to be put into a different "media" (e.g. DB, file, HTML display, XML display, etc.) (I call it "target context") an appropriate (best case - a tool provided by the "media" itself like *sql_real_escape, htmlentities, etc.) filtering/escaping/whatever-you-call-it should be done.
There are 10 types of people in this world, those who understand binary and those who don't
Re: Filtering/typecasting data: when to do this?
Thanks for the replies.
Should I typecast data received from database?
Should I typecast data received from database?
Re: Filtering/typecasting data: when to do this?
The most important thing is that you understand why data needs to be filtered/escaped in each change of context. For example, if you have a user submitted string of text. That can contain quotes ( ' ) which can break (intentionally or not) the sql queries you run. So you escape them on putting them in the db.
Or a string of text, being retrieved from a db and shown in HTML. So the context becomes HTML, which means some things are/can be suddenly dangerous/unwanted. So you html escape or filter out unwanted HTML.
An important thing is to define correctly and make the distinction between filtering, validating and escaping. Those terms are often used wrongly or differently. In my definition, with filtering, you remove/change something. With escaping, you don't do that. You only make sure some data cannot cause problem when changing context (like when you use mysql_real_escape_string)
Or a string of text, being retrieved from a db and shown in HTML. So the context becomes HTML, which means some things are/can be suddenly dangerous/unwanted. So you html escape or filter out unwanted HTML.
An important thing is to define correctly and make the distinction between filtering, validating and escaping. Those terms are often used wrongly or differently. In my definition, with filtering, you remove/change something. With escaping, you don't do that. You only make sure some data cannot cause problem when changing context (like when you use mysql_real_escape_string)
Re: Filtering/typecasting data: when to do this?
Well, even if DB "driver" supports PHP types, a "nullable" column value will break it.Technical wrote:Should I typecast data received from database?
There are 10 types of people in this world, those who understand binary and those who don't
Re: Filtering/typecasting data: when to do this?
Sorry, my mistake.VladSun wrote:Well, even if DB "driver" supports PHP types, a "nullable" column value will break it.Technical wrote:Should I typecast data received from database?
I just found strange thing: SQLite allows you to store string in integer column if it's not a primary key. So than forced me to put intval() in my code to ensure I'll work with numeric value.
Re: Filtering/typecasting data: when to do this?
If a user input field should only contain numeric data, it should be filtered upon the form submission, and rejected if it doesn't validate (giving the user the opportunity to replace the value with a valid one)
Re: Filtering/typecasting data: when to do this?
Yes, as I've stated, I always filter HTTP-received data.josh wrote:If a user input field should only contain numeric data, it should be filtered upon the form submission, and rejected if it doesn't validate (giving the user the opportunity to replace the value with a valid one)
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Filtering/typecasting data: when to do this?
I don't filter for any of your five points.
I think my rule is: filter data that comes from a external source (e.g. HTTP Request or data feed) and escape data that goes to an external source (e.g. database or HTTP Response).
I think my rule is: filter data that comes from a external source (e.g. HTTP Request or data feed) and escape data that goes to an external source (e.g. database or HTTP Response).
(#10850)
Re: Filtering/typecasting data: when to do this?
@Technical Filtering is the process of altering or changing data, for example escaping quotes. It is no substitute for validating your data!! (I even mixed up the two terms in my last post, just setting the record straight). You should always filter+validate your data.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Filtering/typecasting data: when to do this?
I didn't get into validation because it was not part of the topic -- it is also important. Both filtering and escaping are names for altering/changing data. But those words are used for different things and @technical nitpicking just muddies those useful meanings.
(#10850)
Re: Filtering/typecasting data: when to do this?
My definitions of the three are
Code: Select all
// Filter something:
$x = 'abc123';
$y = filter($x);
$y is 'abc'; // the result is that unwanted stuff is filtered outCode: Select all
// Validate something
$x = 'abc123';
$y = validate($x);
$y is bool true false; // the result is a yes/no answer to the question "Is this piece of data valid?Code: Select all
// Escape something
$x = 'O'reilly';
$y = escape($x);
$db->insert($y);
$y is now inside the database as O'reilly, but the quote didn't cause any problemsCode: Select all
Or in case something is output as HTML
$x = 'some & thing';
$y = htmlentities($x);
echo $y; // outputs 'some & thing' in the source, but 'some & thing is displayed to the user
Re: Filtering/typecasting data: when to do this?
Okay, okay, seems that discussion went wrong way.
I'm not asking how to filter/validate, I'm asking what data should I filter/validate. Look at the first post, I wrote a list of options.
My second question was about forced typecasting. I meant, should I use intval(), floatval(), strval() on variables passed as function arguments, database received rows and etc.? Does it hurt performance much?
I'm not asking how to filter/validate, I'm asking what data should I filter/validate. Look at the first post, I wrote a list of options.
My second question was about forced typecasting. I meant, should I use intval(), floatval(), strval() on variables passed as function arguments, database received rows and etc.? Does it hurt performance much?
Re: Filtering/typecasting data: when to do this?
Why would you need this? PHP is "typeless" language. Elaborate please 
There are 10 types of people in this world, those who understand binary and those who don't