Casting variables as the sole security measure

[ShaolinF]

Hi Guys,

 

I do the following to GET an id:

 

$id = $_GET['id'];

 

There needs to be some filtering/sanitization. I have noticed that many people just cast it as an int and leave it at that. Is that really the best way to approach this issue ? It doesnt look right to me. Im hoping someone can shed some light on this from a secure coding POV.

[xeross]

I generally don't use typecasts, if something needs to be a number I tend to use is_numeric, and for more complex checks you could use regular expressions or readily available php functions like is_int, is_string, is_bool, etc.

 

~Xeross

[.josh]

there is nothing wrong with type casting if that's all it takes to validate data format.  For instance, with pagination.  You are already gonna have condition to make sure number is within range 1-X, so that's covered.  As for the rest of it, forcing the value to int nicely covers everything else: making sure it's a whole number.  Right tool for the right job, sort of thing.

[Mchl]

checking with is_numeric() on the other hand can actually let some types of SQL injections through. Strings like "0x01ABCDEF" do return true on is_numeric(), and in some multibyte encodings they can be used to break query.

[xeross]

checking with is_numeric() on the other hand can actually let some types of SQL injections through. Strings like "0x01ABCDEF" do return true on is_numeric(), and in some multibyte encodings they can be used to break query.

Ah ok, I didn't know that, time to edit my code

[Mchl]

With UTF-8 you're probably safe, but I'd advise to do the changes nevertheless.