Re: Security Best Practice: typecast?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/1/07, Richard Lynch <ceo@xxxxxxxxx> wrote:
So, after a recent thread on data filtering, I'm wondering...

Is this "good enough" in ALL possible Unicode/charset situations:

$foo_id = (int) $_POST['foo_id'];
$query = "insert into whatever(foo_id) values($foo_id)";

Or is it possible, even theoretically possible, for a sequence of:
[-]?[0-9]+
to somehow run afoul of ANY charset?

Perhaps more interesting, how about this:

$foo = (float) $_POST['foo'];

Is there any way for any PHP output from (float), even with decimal
overflow/underflow in various databases, for that to "go wrong"?

Should one be ultra-conservative and just do:
$foo_sql = mysql_real_escape_string($connection);
or is that just being silly?

This oen is better i believe, but you probably don't want to unescape
the connection :)
use this instead:
$foo_sql = mysql_real_escape_string($foo_sql,$connection);

Tijnema

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux