Page 1 of 1

Now i'm curious

Posted: Sun Oct 16, 2005 1:09 pm
by alex.barylski
For years now when securing simple numeric types before sending to database, all i've done is simply use an explicit cast using (int) (float)

ie:

Code: Select all

$my_int = (int)$_GET['my_int'];
A cast, I figure should return ZERO if the my_int is anything other than an integer or float.

I've tried:

Code: Select all

$test = 'm123';
$my_int = (int)$test;
It should yield ZERO...

So the way I see it explicit casting should be a safe way to sterilize numeric input from users...

Any objections, comments, etc...?

Cheers :)

Posted: Sun Oct 16, 2005 1:16 pm
by feyd
when interacting with a database, all inputs should be escaped, no matter what. Lets say you accidentally forget to cast something, that's a large hole that can very easily be exploited. If you escape all inputs, you won't forget something (provided you do it correctly) such as using array_map()

Posted: Sun Oct 16, 2005 5:33 pm
by Ambush Commander
Another way to do this is always use bind SQL, which PEAR DB and ADOdb offer. Basically, you never go "SELECT `users` WHERE id = $id", instead, you write "SELECT `users` WHERE id = ?", pass the value of the question mark via another parameter and the database library automatically escapes it for you.