php safe?

[Monkuar]

$stick_topic = isset($_POST['stick_topic']) ? '1' : '0';

 

does this need to be escaped while entering the database or no because the values could only be 1 or 0 ?

 

srry it's just i got hacked so i am trying to do my security #1

[scootstah]

Technically no, since you are not using the user's input.

[Pikachu2000]

Numeric values shouldn't be escaped anyhow, they should be validated and cast as the proper data type.

[Monkuar]

Numeric values shouldn't be escaped anyhow, they should be validated and cast as the proper data type.

 

Cast meaning as this variable will be only 1 or 0, so it's impossible to inject?

 

if so topic solved ty

[Pikachu2000]

Cast, meaning as an integer, or float, etc. $value = (int) $_POST['value'];

[scootstah]

Numeric values shouldn't be escaped anyhow, they should be validated and cast as the proper data type.

 

Cast meaning as this variable will be only 1 or 0, so it's impossible to inject?

 

if so topic solved ty

 

In this case it's not possible to inject anyway, since you are not actually putting the user's input into the database.

 

But what Pikachu means is that instead of taking the user's input and escaping it to put in the database, instead typecast it to the appropriate data type. If you typecast a string to say an int, any non-integer characters will be removed. So even if the string contained injection, it would just become 0.

[Monkuar]

Cast, meaning as an integer, or float, etc. $value = (int) $_POST['value'];

 

okay, so then the above would b e more secure if i did:

 

$stick_topic = isset($_POST['stick_topic']) ? '1' : '0';
if (!intval($stick_topic)){
echo "stop hacking";
exit;
}

 

casting it as a intval only would be hack safe?

 

should I add

 

if ($stick_topic < 1 ){

echo "hacker trying to do negative on me now?";

exit;

}

 

make it even more secure eh? 

 

okay scootsah's so always make sure i cast integer's before input and then db escape them just to be on safe side?

 

i really just dont want to get hacked again im escaping everything

[scootstah]

Again, in this case you are not putting the user's input into the database. Therefore you don't need to do anything, the value will always be either 1 or 0, no matter what they enter.

 

But to clarify, all you would need to do is exactly what Pikachu said;

$value = (int) $_POST['value'];

 

No matter what they entered into the "value" field, it would always be an integer and nothing else. If they entered SQL injection it would be simply changed to 0.

[Monkuar]

Again, in this case you are not putting the user's input into the database. Therefore you don't need to do anything, the value will always be either 1 or 0, no matter what they enter.

 

But to clarify, all you would need to do is exactly what Pikachu said;

$value = (int) $_POST['value'];

 

No matter what they entered into the "value" field, it would always be an integer and nothing else. If they entered SQL injection it would be simply changed to 0.

 

ok

 

epic!

 

thanks so much

 

sorry i had to get u guys to explain it to me, i am just trying to figure out this injection stuff, sick of people injecting code on my forum it's pissing me off

 

Thanks :topic re-solved