integer cast vs intval()

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
WaldoMonster
Forum Contributor
Posts: 225
Joined: Mon Apr 19, 2004 6:19 pm
Contact:

Post by WaldoMonster »

Is there any difference in security between (int) and intval()?
Here are two examples:

Code: Select all

mysql_query('UPDATE example SET
            filesize    = ' . (int) $filesize . ',
            flag        = ' . (int) $flag . '
            WHERE id    = ' . (int) $id
            );

Code: Select all

mysql_query('UPDATE example SET
            filesize    = ' . intval($filesize) . ',
            flag        = ' . intval($flag) . '
            WHERE id    = ' . intval($id)
            );
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

This thread was split from a year old thread: viewtopic.php?t=35719

The difference is mostly in speed of execution for most people. There are a few other minor (and I really mean minor) differences, but for the most part they are interchangeable.
User avatar
WaldoMonster
Forum Contributor
Posts: 225
Joined: Mon Apr 19, 2004 6:19 pm
Contact:

Post by WaldoMonster »

Thanks feyd,
If there are no security differences, I will go for the faster of the two.
I used this little script to see the difference between cast and intval():

Code: Select all

<?php
list($usec, $sec) 	= explode(' ', microtime());
$start_time			= $usec + $sec;

for ($i = 0; $i < 1000000; $i++)
	{
	$a = 12345;
	//$a = (int) $a;
	$a = intval($a);
	}

list($usec, $sec)	= explode(' ', microtime());
$execution_time		= $usec + $sec - $start_time;
echo 'Script execution time: ' . number_format($execution_time * 1000, 1) . 'ms';
?>
As you can see the difference are quite obvious on my system:

With $a = (int) $a; will result in:

Code: Select all

Script execution time: 746.5ms
With $a = intval($a); will result in:

Code: Select all

Script execution time: 1,207.7ms
The execution time is different every time you run the script.
But roughly the difference in percentage is the same.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

feyd wrote:The difference is mostly in speed of execution for most people. There are a few other minor (and I really mean minor) differences, but for the most part they are interchangeable.
I'm interested, what are those minor differences? I couldn't see anything in that thread you posted, feyd.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The difference is one is a function. The other is not.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Oh right, I thought you meant they actually gave different results.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I have a recollection that someone looked at the internals and said that the call the same code but in slightly different contexts. Does anyone remember about this?
(#10850)
Post Reply