Oren wrote:First of all, to make things more clear, I just wanted to make sure you know that anything from POST/GET is a string - I didn't say anything about ole's answer nor did I answer your question - all I was trying to do was to teach you and other people that might not know this (and I've seen such people).
That's ok of course. I appreciate that. I just asked because your comment make it seem like I might have missed something (with the big red letters and all..)
Oren wrote:
Now to your real question, yes you can be sure, and yet I wouldn't do it for several reasons:
1. What if PHP's behavior will change in future versions?
I hope not too much

but you are right. Defense in depth.
Oren wrote:
2. I would sanitize any data which comes from the user first, and only then I would validate/check it (and yes, there is a different between the two).
I'm not sure I agree on this one. At least not in every situation. Normally, especially when it comes to form processing I don't want to sanitize the data, but instead validate the data and return a (friendly) error message when someone posts the wrong data. If someone registers on a forum and enters his username as somedude12! I wouldn't want to strip out the 12! without letting that user now.
However, in this specific case I use $_GET['id'] to page through several photo's. In that case I don't mind an id of '1abctest' being sanitized (by casting) to 1. But maybe we mean the same things but use the definitions differently.
Oren wrote:
3. Some people will argue, but I believe in "Better safe than sorry" - even in places where I myself believe it's not necessary to do X, Y and Z, I still do them as long as it doesn't require too much extra resources from the machine.
You are absolutely correct. So would you do it like this:
Code: Select all
<?php
$index = isset($_GET["id"]) ? (int)$_GET["id"]-1 : 0;
?>
Or is that synthetically wrong?
But even if I use several layers of security, I still want to be sure
each layer on it's own is doing what I think it should do. Therefore these questions. Thanks for your input.