Jump to content

Casting variables as the sole security measure


ShaolinF

Recommended Posts

Hi Guys,

 

I do the following to GET an id:

 

$id = $_GET['id'];

 

There needs to be some filtering/sanitization. I have noticed that many people just cast it as an int and leave it at that. Is that really the best way to approach this issue ? It doesnt look right to me. Im hoping someone can shed some light on this from a secure coding POV.

there is nothing wrong with type casting if that's all it takes to validate data format.  For instance, with pagination.  You are already gonna have condition to make sure number is within range 1-X, so that's covered.  As for the rest of it, forcing the value to int nicely covers everything else: making sure it's a whole number.  Right tool for the right job, sort of thing.

checking with is_numeric() on the other hand can actually let some types of SQL injections through. Strings like "0x01ABCDEF" do return true on is_numeric(), and in some multibyte encodings they can be used to break query.

Ah ok, I didn't know that, time to edit my code :)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.