Jump to content

Type Casting


Guest FirefoxRocks
 Share

Recommended Posts

Is type casting going to improve security? http://devzone.zend.com/article/1778
It may... at certain cases. It never hurts though, so it's a good thing to make a habbit of.In SQL specifically, if you expect a number, it's wise to cast the variable into the type of number you expect. Expecting an integer or a double/float? Cast it to one (btw, I prefer to use (type) $variable notation)! Expecting a string (char, varchar, text, blob, etc.)? Use mysql(i)_real_escape_string() on it.Both of those make sure that whatever gets into being an SQL query, it will be from the type of query you expect. Therefore, SQL injection attacks become impossile... of course, there are many more types of attacks, requiring other measures, but that's another story.The short version is that without further checks, attackers can still insert invalid data. Invalid data could lead to error messages, leading to a leak of information you may not want end-users (and thus attackers) to see. This information could be used for further attacks at other fronts.So, whatever you do: Validate everything that the user inputs. Never trust anything! Regardless of how your HTML form looks! Typecast, yes, but do more. Edited by boen_robot
Link to comment
Share on other sites

Guest FirefoxRocks

I use the safeSql() function to filter strings going into the database, but is type casting going to be an extra layer of security for variables that I make (not $_POST, or other superglobal arrays)?

Link to comment
Share on other sites

I use the safeSql() function to filter strings going into the database, but is type casting going to be an extra layer of security for variables that I make (not $_POST, or other superglobal arrays)?
If they are numbers, yes. For strings, no, since everything is, by default, a string.What's that safeSql() function? I'm assuming it's some kind of a library you use that under the hood uses mysql_real_escape_string()? At least, I'd hope it does.
Link to comment
Share on other sites

Guest FirefoxRocks
If they are numbers, yes. For strings, no, since everything is, by default, a string.What's that safeSql() function? I'm assuming it's some kind of a library you use that under the hood uses mysql_real_escape_string()? At least, I'd hope it does.
I'm not using a PHP library at the moment. I'm using jQuery, but that's a JavaScript library.
Link to comment
Share on other sites

I'm not using a PHP library at the moment. I'm using jQuery, but that's a JavaScript library.
Then assume it's broken. It is PHP that needs to handle escaping and casting of data, not JavaScript. JavaScript may do it in addtion, but must never be used instead of the PHP equivalents.
Link to comment
Share on other sites

safe_sql is also not a built-in function.You shouldn't be using code that you don't know what it does. Find that function and figure out exactly what you're doing before you decide whether or not you're protected.

Edited by justsomeguy
Link to comment
Share on other sites

Guest FirefoxRocks
safe_sql(PHP 4 >= 4.3.0, PHP 5)safe_sql — Prepares a string for safe use in a SQL statementstring safe_sql ( string $string )Alters the string so that it is safe to use it in a mysql_query().This function can be used to make data safe before sending a query to MySQL. Parametersstring The string that is to be processed.Return ValuesReturns the processed string, or FALSE on error.Notes Note: A MySQL connection is required before using safe_sql() otherwise an error of level E_WARNING is generated, and FALSE is returned. Note: This function can make SQL Injection Attacks less vulnerable.
Link to comment
Share on other sites

A link to the documentation page you got that from? A search on php.net doesn't lead to anything even close to that.

Link to comment
Share on other sites

I didn't get that off of a documentation page from anywhere, but it's what the function does.
O.....K.... where did you got that from then? The functions couldn't have just "magically appeared"? The function has a definition, within a PHP file?!? If so, you should've said from the start that you do use a PHP library... whether it's your own one, or another one is irrelevant. On the other hand, if it's another one, the name of the library (if any) would be nice to know. Also, where did you get it from? It isn't bundled with PHP, so you must have installed something extra, ot at least, copy&paste-ed something. Edited by boen_robot
Link to comment
Share on other sites

Guest FirefoxRocks

I define my own functions in a file which I include in all my files, I'm not using an external PHP library or anyways, and so far all my PHP code is hand-coded, nothing copy and pasted that I have no clue of.safe_sql() or safeSql() isn't one of my own functions though...

Link to comment
Share on other sites

safe_sql() or safeSql() isn't one of my own functions though...
Then where are you getting it from?! It's not a built-in function, it's not one you wrote yourself, so you must have got it from somewhere! Where did you get that text that you quoted from?http://www.php.net/manual-lookup.php?pattern=safe_sql Edited by Synook
Link to comment
Share on other sites

Guest FirefoxRocks

I found it...somewhere...:

function safeSql($str){$m=get_magic_quotes_gpc();if($m===1){$str=stripslashes($str);}$str=mysql_real_escape_string($str);return $str;}

There's a lot of other functions in here as well but I don't know how to use them and I did not download/write this file where I'm getting this code from.

Link to comment
Share on other sites

So you did copy and paste! :)But anyway, you can see that the function includes mysql_real_escape_string() in the end.

Link to comment
Share on other sites

Guest FirefoxRocks

No I did not copy and paste any PHP code. I did not create this file. It was never moved into my project files, but it is here for some reason. :S

Link to comment
Share on other sites

I found it...somewhere...:
function safeSql($str){$m=get_magic_quotes_gpc();if($m===1){$str=stripslashes($str);}$str=mysql_real_escape_string($str);return $str;}

There's a lot of other functions in here as well but I don't know how to use them and I did not download/write this file where I'm getting this code from.

A file that contains function/class definitions and that you include in all other files is called "a *language* library". Again, whether it has a name, whether it's yours or someone else's is another question. So, you do use a PHP library.BTW, this function could be much more compact and secure:
function safeSql($str,$connection=null){if(get_magic_quotes_gpc()===1){$str=stripslashes($str);}return $connection===null?mysql_real_escape_string($str):mysql_real_escape_string($str,$connection);}

OK, for the sake of security, it's slightly longer, but removing the $connection feature would make it more compact for sure.For future's sake, avoid using functions with unknown origins or with unproven usefullness. Also, I'd personally negate magic quotes at the very start of the file, then assume they're off. This will guarantee that the code would work the same, regardless of the setting. Right now, if I do that AND use this function, I'd have two stripslashes() calls.

Edited by boen_robot
Link to comment
Share on other sites

Guest FirefoxRocks

Well I did a search on my C: drive and I got 6 of these files called df.php and they have slight variations of each function but all of them are the same functions and they are found in the strangest places on the hard drive.But one of them did look like yours without the $connection variable actually:

function safe_sql($str){if(get_magic_quotes_gpc()===1){$str=stripslashes($str);}return mysql_real_escape_string($str);}

The weird thing is there's no license or anything on these files and I have no clue where they came from.

Link to comment
Share on other sites

Well I did a search on my C: drive and I got 6 of these files called df.php and they have slight variations of each function but all of them are the same functions and they are found in the strangest places on the hard drive.But one of them did look like yours without the $connection variable actually:
function safe_sql($str){if(get_magic_quotes_gpc()===1){$str=stripslashes($str);}return mysql_real_escape_string($str);}

The weird thing is there's no license or anything on these files and I have no clue where they came from.

Is there another PHP developer in the household/work/wherever this PC is form? Have you bought/rented the computer from another fellow that (apparently) knows PHP?Honestly said, that's the first time I see anyone having PHP files with unknown origins on their own computer :) . And anyway, I'd suggest you delete all of them, unless perhaps they're used by an application which origins you DO know. Edited by boen_robot
Link to comment
Share on other sites

Guest FirefoxRocks

Nope, my parents know nothing about programming, I tried teaching my mom a bit of HTML but she showed little interest.And I personally formatted the partition myself when I installed Windows 7. I find it strange that the file is located in C:\Users\<username>\Pictures\2009\ and C:\Windows\system32\drivers\ as well as a few other places where PHP files don't belong.

Link to comment
Share on other sites

So you've got PHP files scattered around your computer, you're the only one who uses the computer for PHP development, you have no idea who made the files or where they come from, but apparently you do know enough to be able to 1) use the functions in your PHP code (so apparently you do know enough about the files to know what functions they contain) and 2) show documentation for the functions inside the files (even though you seem to be reluctant to tell anyone where you got the documentation from).This isn't making sense. Are you bipolar, or schizophrenic, perhaps? If you're the only person who uses the computer for programming, maybe your other self did all of that.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...