TalkPHP - View Single Post - SQL Injection and mysql_real_escape_string

Highway of Life · 05-02-2008, 06:41 PM

Type casting is extremely important in any programming language, and PHP is no exception.

Although type casting is an often-missed tool when a PHP developer is trying to ensure data integrity.
Type casting is most often used to specifically enforce a type in order to provide extra security or just to make sure a set type of data is being used. For example, if your script absolutely requires an integer number, it's a smart move to typecast your variable with (integer) so that PHP will convert any other type to integer or do nothing if the type is already integer.

All user data being input in an SQL Query must be sanitised in one way or another, typecasting is one of the most important ways of ensuring that your integers are integers, your floats are floats, bool, binary, array or strings. -- or to ensure that your variable is an object or resource.
In many cases, type casting is sufficient validation. When a variable needs to be an integer, you won’t need to spend additional time and server resources sanitising the variable as you would with a string.

Suggesting that type casting is not important displays a lack of programming knowledge and especially security awareness.
Dealing with database interaction is something to always take seriously — and type casting can be of great benefit to you.

05-02-2008, 06:41 PM	#15 (permalink)
Highway of Life The Wanderer Join Date: May 2008 Location: Beware of programmers carrying screwdrivers Posts: 21 Thanks: 0	Type casting is extremely important in any programming language, and PHP is no exception. Although type casting is an often-missed tool when a PHP developer is trying to ensure data integrity. Type casting is most often used to specifically enforce a type in order to provide extra security or just to make sure a set type of data is being used. For example, if your script absolutely requires an integer number, it's a smart move to typecast your variable with (integer) so that PHP will convert any other type to integer or do nothing if the type is already integer. All user data being input in an SQL Query must be sanitised in one way or another, typecasting is one of the most important ways of ensuring that your integers are integers, your floats are floats, bool, binary, array or strings. -- or to ensure that your variable is an object or resource. In many cases, type casting is sufficient validation. When a variable needs to be an integer, you won’t need to spend additional time and server resources sanitising the variable as you would with a string. Suggesting that type casting is not important displays a lack of programming knowledge and especially security awareness. Dealing with database interaction is something to always take seriously — and type casting can be of great benefit to you. __________________ - Highway of Life [ Software Engineer \| PHP Developer \| phpBB.com Team Member ] phpBB Academy at StarTrekGuide