Welcome Guest, Not a member yet? Register   Sign In
Protection from SQL-injections and XSS-atacks
#10

(07-14-2017, 10:58 AM)skunkbad Wrote:
(07-14-2017, 02:43 AM)Narf Wrote:
(07-13-2017, 11:47 PM)skunkbad Wrote: Also, I like to type cast numbers to int or float, sometimes eliminating the need for form validation if all I'm posting is numbers.

You should avoid this ... It may be an easy way to protect from SQL injections, but you're supposed to reject invalid inputs, not assume that they're ok.

I wouldn't usually assume the type casted value is OK. It really depends on what I'm doing. I guess I was rather vague when suggesting that form validation may not be necessary. Something like this is probably OK for an integer that is not 0:


PHP Code:
$val $this->input->post('x');
if( 
is_numeric$val ) ){
   if( $val = (int) $val ){
       // $val is safe
      return $val;
   }



To be clear, I'm certainly not telling you what's OK ... because you are much more advanced than I am. Would you always use the form validation class, or how would you otherwise handle this?

I'm not a big fan of FV libraries in general, but ultimately it's a choice. Otherwise I'd use ctype_digit() instead of is_numeric().

But the point is that you need to know that the input was correct before doing anything with it. Casting after validation is fine ... relying on casting instead of validation isn't. Smile
Reply


Messages In This Thread
RE: Protection from SQL-injections and XSS-atacks - by Narf - 07-17-2017, 01:32 AM



Theme © iAndrew 2016 - Forum software by © MyBB