Jump to content

php safe?

Monkuar

By Monkuar
in PHP Coding Help

 Share

Recommended Posts

scootstah Member

scootstah

Posted
Posted

Numeric values shouldn't be escaped anyhow, they should be validated and cast as the proper data type.

 

Cast meaning as this variable will be only 1 or 0, so it's impossible to inject?

 

if so topic solved ty

 

In this case it's not possible to inject anyway, since you are not actually putting the user's input into the database.

 

But what Pikachu means is that instead of taking the user's input and escaping it to put in the database, instead typecast it to the appropriate data type. If you typecast a string to say an int, any non-integer characters will be removed. So even if the string contained injection, it would just become 0.

Link to comment
Share on other sites
Monkuar Advanced Member

Monkuar

Posted
  • Author
Posted

Cast, meaning as an integer, or float, etc. $value = (int) $_POST['value'];

 

okay, so then the above would b e more secure if i did:

 

$stick_topic = isset($_POST['stick_topic']) ? '1' : '0';
if (!intval($stick_topic)){
echo "stop hacking";
exit;
}

 

casting it as a intval only would be hack safe?

 

should I add

 

if ($stick_topic < 1 ){

echo "hacker trying to do negative on me now?";

exit;

}

 

make it even more secure eh?  :shrug:

 

okay scootsah's so always make sure i cast integer's before input and then db escape them just to be on safe side?

 

i really just dont want to get hacked again :( im escaping everything

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

Again, in this case you are not putting the user's input into the database. Therefore you don't need to do anything, the value will always be either 1 or 0, no matter what they enter.

 

But to clarify, all you would need to do is exactly what Pikachu said; 

$value = (int) $_POST['value'];

 

No matter what they entered into the "value" field, it would always be an integer and nothing else. If they entered SQL injection it would be simply changed to 0.

Link to comment
Share on other sites
Monkuar Advanced Member

Monkuar

Posted
  • Author
Posted

Again, in this case you are not putting the user's input into the database. Therefore you don't need to do anything, the value will always be either 1 or 0, no matter what they enter.

 

But to clarify, all you would need to do is exactly what Pikachu said; 

$value = (int) $_POST['value'];

 

No matter what they entered into the "value" field, it would always be an integer and nothing else. If they entered SQL injection it would be simply changed to 0.

 

ok

 

epic!

 

thanks so much

 

sorry i had to get u guys to explain it to me, i am just trying to figure out this injection stuff, sick of people injecting code on my forum it's pissing me off

 

Thanks :topic re-solved

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.