Now i'm curious

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Now i'm curious

Post by alex.barylski »

For years now when securing simple numeric types before sending to database, all i've done is simply use an explicit cast using (int) (float)

ie:

Code: Select all

$my_int = (int)$_GET['my_int'];
A cast, I figure should return ZERO if the my_int is anything other than an integer or float.

I've tried:

Code: Select all

$test = 'm123';
$my_int = (int)$test;
It should yield ZERO...

So the way I see it explicit casting should be a safe way to sterilize numeric input from users...

Any objections, comments, etc...?

Cheers :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

when interacting with a database, all inputs should be escaped, no matter what. Lets say you accidentally forget to cast something, that's a large hole that can very easily be exploited. If you escape all inputs, you won't forget something (provided you do it correctly) such as using array_map()
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Another way to do this is always use bind SQL, which PEAR DB and ADOdb offer. Basically, you never go "SELECT `users` WHERE id = $id", instead, you write "SELECT `users` WHERE id = ?", pass the value of the question mark via another parameter and the database library automatically escapes it for you.
Post Reply