Page 1 of 1
Is this a security risk?
Posted: Mon Jun 19, 2006 4:29 am
by SpiderMonkey
Consider the following expression:
Given that the result of this will be written into the page at some point, do I need to use htmlspecialchars() here?
Or will the expression evaluate to a number even if the two $_POST variables are strings?
Posted: Mon Jun 19, 2006 4:43 am
by Maugrim_The_Reaper
The term "better safe than sorry" applies.
Use
Code: Select all
$total = (int) $_POST["price1"] * (int) $_POST["qty1"];
If any of the POST variables contain anything but a number it will result in an integer as a result. Actually you may not even need the (int) casts...
If the total will be used to perform an action, i.e. effect real change. It might be better to error out and force the user to correct the problem in their form. This is relevant since an integer cast can reduce a string (say "23iambad!") to the leading integer 23. This result of type juggling (as the PHP calls it) can cause unexpected results, that a user probably does not intend in the case of a genuine mistake on their part. The larger the impact a mistake will have, the more you want to avoid PHP's finnicky type casting.
This is one of the reasons I usually advise against attempting to fix user mistakes where the resulting fix has a probability of not matching the original intent of the user.
Posted: Mon Jun 19, 2006 4:46 am
by SpiderMonkey
That sounds like a good idea, thanks.
(although I'll have to cast the price as a float)
Posted: Mon Jun 19, 2006 2:07 pm
by John Cartwright
note: some posts were split to
viewtopic.php?t=50362