If I may ask: there's one thing I don't understand about casting. It's often recommended as a method to validate numeric data. From PHP architects guide to php security: "A cast forces PHP to convert the parameter from a string to a numeric value, ensuring that the input is a valid number".
Example:
Code: Select all
$_GET['product_id'] = (int) $_GET['product_id'];
But the thing is, if someone or something is inputting a non-valid value, input you don't want, isn't it better - at least in some situations - to throw an error or exception when wrong input is entered?
As I see it, the first layer of input filtering/validation should check all input and if any wrong input is entered, an error, warning, message or whatever must be returned. Then the second layer is or could be something like casting to make sure the processing logic only works with the right input. It's just that casting (again, in
some situations I can think of) is like: "ok, the data is bad but I'll accept it anyway and clean it up for you".