|
|
Posted by Jerry Stuckle on 11/04/05 19:12
Chung Leong wrote:
> Malcolm Dew-Jones wrote:
>
>>Definitely correct, but escaping is not the same as using intval to force
>>something into a number. Escaping is the mechanism to ensure that the
>>database (or whatever) sees and stores the original data in its original
>>format.
>
>
> Well, how else do you safely insert an integer into a SQL statement?
> You could escape and put quotes around it, but then you're just asking
> the database to cast the number into integer for you. If you leave it
> as is then you're placing the burden on your validation and error
> handling code to avert SQL injection. I could easily imagine someone
> writing something like this: if(preg_match('/[0-9]+/', $pkTable)) { ...
> }. Calling intval or floatval is easy enough.
>
If the incoming value isn't an integer, you don't.
For instance - let's say I want to order 100 widgets. However, in the
quantity column I mistype "1q00", because of my fat fingers. :-)
Your way of forcing it to an int with intval would give me 1 item. The
correct response is to call is_int to determine if it is an integer or
not, and if it isn't, tell me about it.
Calling intval or floatval is incorrect - NEVER change the user's data;
it's either valid or invalid. If the former, process it. If the
latter, return an error message to the user!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|