05-02-2008, 09:14 PM
|
#18 (permalink)
|
|
Wizard
Join Date: Sep 2007
Posts: 1,296
Thanks: 17
|
Quote:
Originally Posted by Highway of Life
Claims and or examples are not necessary to demonstrate basic and correct programming concepts.
That said, I’ll give a very basic example of proper usage and why type casting it of utmost importance when programming.
If you are interacting with the database, MySQL query for example, it’s important to use typecasting in the following example:
PHP Code:
$sql = 'SELECT field1, field2, field3
FROM some_table
WHERE field_name = ' . $var_id;
$var_id cannot be a string otherwise you open it up to SQL Injection.
If you sanitise the variable with mysql_escape_string(), you are wasting resources... instead, you should force var type integer.[/php] |
Your argument for typecasting is based off of speed, not security as you earlier claimed. It will hardly take any more time to clean via mysql_real_escape_string() than to typecast. The difference will be negligible.
Quote:
Originally Posted by Highway of Life
In the case of SQL UPDATE or INPUT, if you do not force var type int, you will also have SQL Errors if the value is not strictly an integer.
|
You should be validating a lot more then just type when using those commands. However, not typecasting leaves room for an error, not a hole.
Quote:
Originally Posted by Highway of Life
You don’t use shortcuts when security is in question -- you do it right.
All basic programming concepts with any language, especially PHP.
|
How is my method more of a shortcut than yours? I could just as easily call your method a shortcut not to use mysql_real_escape_string all the time. Do your security right.
Quote:
Originally Posted by Highway of Life
Anyone who has worked in C or Java knows how important typecasting is.
|
You don't have a choice in C or Java to typecast or not, it can be the biggest pain in the ass sometimes. I know C++, although I wont claim to be more then intermediate.
Your arguments for typecasting are not based off of security. Please dont come here and present personal style as fact. |
|
|
|