Cast that INT!

[IO_Relentless]

Hi all I'm new here so I thought I would start out by posting a thought ,

Just something I seem to have noticed, please correct me if I am wrong. When you are creating a website that interacts with a database we all know we must secure it against SQL injection, so we use addslashes(), stripslashes(), mysql_real_escape_string() etc. But what most people seem to forget in practice and in "Prevent SQL injection" articles is the ability to cast (INT) integer values so that only integers will be accepted.

For example if you have a field in the database lets say the ID that is an INT, the only value we are going to need in association to that field is an INT so to stop people inject say a string cast it! a working example is as follows:

//Without casting the article_id variable
if(isset($_GET['article_id'])) {
$article_id = $_GET['article_id'];

// create and run query
}

//Casting it to an INT
if(isset($_GET['article_id'])) {
$article_id = (INT)$_GET['article_id'];

// create and run query
}

It takes 2 seconds and ensures that the "$article_id" variable will be of type integer, its good practice in my opinion to do these things.

Hope this helped someone

Please post your comments.

Relentless.

[xelix]

$article_id = (is_numeric ($_GET['article_id']) ? $_GET['article_id'] : intVal ($_GET['article_id']));

[IO_Relentless]

hey

Not going to post any comments?

Rel.

[TheMindRapist]

Comments aren't really needed for one line of code.

[BhaaL]

I guess he meant comments to his post

Besides, $article = intval($_GET['article']); is by far sufficiant. If the string is not numeric at all, it will return 0. If the string starts with numbers, it will return that as integer. If its numeric at all, the number itself is returned.