Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I created a function to verify user input to avoid injection. This input adds an item to a cart. Due to the way the catalog is set up, I am evaluating a 2D array. The interior arrays only contain one item each. The items contained in each interior array are what will be evaluated. That is where the user input is stored and it should only be positive unsigned integers or strings of integers.
My question is, can you see any exploitable weaknesses in this function?
Look ok, though your are using a foreach but only looping through once. Is that because you don't know the key? And you are assigning to $product but it appears to be a local variable?
Alright, I see what you are saying. I shifted some things around.
I am more concerned about the risk of injection than anything at this particular moment. I am still trouble shooting my code and am wondering if this method of checking it is sufficient to protect my client from a malicious attack from a particular user input field.
You can do the same thing with regular expressions. I prefer them. You can easily check any set of characters you want to allow and all the check or just regex character sets.
Regular expressions are great and all but when there's a built-in function that does exactly what you need then it's better to use that. Regexes are expensive.
Also consider that the largest 32-bit unsigned integer is 4294967295 (10 characters), and the largest 64-bit unsigned integer is 18446744073709551615 (20 characters). (See also: MySQL Integer Types)