Cast that INT!

For the discussion of Perl, Python, Ruby, and PHP and other interpreted languages.

Cast that INT!

Post by IO_Relentless on Fri Oct 24, 2008 2:31 pm
([msg=14033]see Cast that INT![/msg])

Hi all I'm new here so I thought I would start out by posting a thought :),

Just something I seem to have noticed, please correct me if I am wrong. When you are creating a website that interacts with a database we all know we must secure it against SQL injection, so we use addslashes(), stripslashes(), mysql_real_escape_string() etc. But what most people seem to forget in practice and in "Prevent SQL injection" articles is the ability to cast (INT) integer values so that only integers will be accepted.

For example if you have a field in the database lets say the ID that is an INT, the only value we are going to need in association to that field is an INT so to stop people inject say a string cast it! a working example is as follows:

//Without casting the article_id variable
if(isset($_GET['article_id'])) {
$article_id = $_GET['article_id'];

// create and run query
}

//Casting it to an INT
if(isset($_GET['article_id'])) {
$article_id = (INT)$_GET['article_id'];

// create and run query
}

It takes 2 seconds and ensures that the "$article_id" variable will be of type integer, its good practice in my opinion to do these things.

Hope this helped someone :)

Please post your comments.

Relentless.
IO_Relentless
New User
New User
 
Posts: 2
Joined: Fri Oct 24, 2008 2:22 pm
Blog: View Blog (0)


Re: Cast that INT!

Post by xelix on Fri Oct 24, 2008 4:06 pm
([msg=14038]see Re: Cast that INT![/msg])

$article_id = (is_numeric ($_GET['article_id']) ? $_GET['article_id'] : intVal ($_GET['article_id']));
shutdown -h 0 "Since when is death an option?"
Image
Image
User avatar
xelix
Experienced User
Experienced User
 
Posts: 52
Joined: Mon Oct 20, 2008 1:00 pm
Location: mv -f / /dev/null && shutdown -h 0 "You just lost the game."
Blog: View Blog (0)


Re: Cast that INT!

Post by IO_Relentless on Fri Oct 24, 2008 4:57 pm
([msg=14044]see Re: Cast that INT![/msg])

hey :)

Not going to post any comments?

Rel.
IO_Relentless
New User
New User
 
Posts: 2
Joined: Fri Oct 24, 2008 2:22 pm
Blog: View Blog (0)


Re: Cast that INT!

Post by TheMindRapist on Fri Oct 24, 2008 5:08 pm
([msg=14046]see Re: Cast that INT![/msg])

Comments aren't really needed for one line of code.
Image
User avatar
TheMindRapist
Contributor
Contributor
 
Posts: 585
Joined: Mon Apr 14, 2008 4:57 pm
Blog: View Blog (0)


Re: Cast that INT!

Post by BhaaL on Sat Oct 25, 2008 7:22 am
([msg=14072]see Re: Cast that INT![/msg])

I guess he meant comments to his post :roll:

Besides, $article = intval($_GET['article']); is by far sufficiant. If the string is not numeric at all, it will return 0. If the string starts with numbers, it will return that as integer. If its numeric at all, the number itself is returned.
BhaaL
Poster
Poster
 
Posts: 270
Joined: Sun Apr 13, 2008 11:16 am
Blog: View Blog (0)



Return to Interpreted Languages

Who is online

Users browsing this forum: No registered users and 0 guests