(07-14-2017, 02:43 AM)Narf Wrote: (07-13-2017, 11:47 PM)skunkbad Wrote: Also, I like to type cast numbers to int or float, sometimes eliminating the need for form validation if all I'm posting is numbers.
You should avoid this ... It may be an easy way to protect from SQL injections, but you're supposed to reject invalid inputs, not assume that they're ok.
I wouldn't usually assume the type casted value is OK. It really depends on what I'm doing. I guess I was rather vague when suggesting that form validation may not be necessary. Something like this is probably OK for an integer that is not 0:
PHP Code:
$val = $this->input->post('x');
if( is_numeric( $val ) ){
if( $val = (int) $val ){
// $val is safe
return $val;
}
}
To be clear, I'm certainly not telling you what's OK ... because you are much more advanced than I am. Would you always use the form validation class, or how would you otherwise handle this?
