harkly Posted August 31, 2012 Share Posted August 31, 2012 When dealing with numbers do I need to implement all the security? On in-putting into my DB I have all numbers validating, with a case statement, and I use prepared statements. So when pulling number data do I need to sanitize it as well? The types are smallint() or tinyint() Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 31, 2012 Share Posted August 31, 2012 If you are selecting data from your database and the column is any kind of int, you do not need to do anything special when outputting it. Quote Link to comment Share on other sites More sharing options...
scootstah Posted August 31, 2012 Share Posted August 31, 2012 If you're using prepared statements and binding the parameters, nothing needs to be done to prevent SQL injection - it is escaped internally. If you weren't using prepared statements, all you would have to do is type-cast the input to make sure it is an integer. Type-casting effectively strips all non-integer characters, and thus it can't be harmful. $number = (int) $_POST['number']; // perfectly safe for SQL Quote Link to comment Share on other sites More sharing options...
harkly Posted August 31, 2012 Author Share Posted August 31, 2012 Thanks!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.