Type Casting

[Guest FirefoxRocks]

Is type casting going to improve security? http://devzone.zend.com/article/1778

[justsomeguy]

You always need to validate data going into a SQL statement. I don't know if filter_var is necessary for that though, I just use intval or floatval.

[boen_robot]

Is type casting going to improve security? http://devzone.zend.com/article/1778

It may... at certain cases. It never hurts though, so it's a good thing to make a habbit of.In SQL specifically, if you expect a number, it's wise to cast the variable into the type of number you expect. Expecting an integer or a double/float? Cast it to one (btw, I prefer to use (type) $variable notation)! Expecting a string (char, varchar, text, blob, etc.)? Use mysql(i)_real_escape_string() on it.Both of those make sure that whatever gets into being an SQL query, it will be from the type of query you expect. Therefore, SQL injection attacks become impossile... of course, there are many more types of attacks, requiring other measures, but that's another story.The short version is that without further checks, attackers can still insert invalid data. Invalid data could lead to error messages, leading to a leak of information you may not want end-users (and thus attackers) to see. This information could be used for further attacks at other fronts.So, whatever you do: Validate everything that the user inputs. Never trust anything! Regardless of how your HTML form looks! Typecast, yes, but do more. Edited July 23, 2009 by boen_robot

[Guest FirefoxRocks]

I use the safeSql() function to filter strings going into the database, but is type casting going to be an extra layer of security for variables that I make (not $_POST, or other superglobal arrays)?

[boen_robot]

I use the safeSql() function to filter strings going into the database, but is type casting going to be an extra layer of security for variables that I make (not $_POST, or other superglobal arrays)?

If they are numbers, yes. For strings, no, since everything is, by default, a string.What's that safeSql() function? I'm assuming it's some kind of a library you use that under the hood uses mysql_real_escape_string()? At least, I'd hope it does.

[Guest FirefoxRocks]

If they are numbers, yes. For strings, no, since everything is, by default, a string.What's that safeSql() function? I'm assuming it's some kind of a library you use that under the hood uses mysql_real_escape_string()? At least, I'd hope it does.

I'm not using a PHP library at the moment. I'm using jQuery, but that's a JavaScript library.

[boen_robot]

I'm not using a PHP library at the moment. I'm using jQuery, but that's a JavaScript library.

Then assume it's broken. It is PHP that needs to handle escaping and casting of data, not JavaScript. JavaScript may do it in addtion, but must never be used instead of the PHP equivalents.

[Guest FirefoxRocks]

safeSql() is a PHP function, not a JavaScript/jQuery function.

[justsomeguy]

It's not a built-in PHP function. That's why he asked if you were using a PHP library that defines it, you said no.

[Guest FirefoxRocks]

I don't know where I found it, but safeSql() is an alias of safe_sql().

[justsomeguy]

safe_sql is also not a built-in function.You shouldn't be using code that you don't know what it does. Find that function and figure out exactly what you're doing before you decide whether or not you're protected.

Edited July 24, 2009 by justsomeguy

[Guest FirefoxRocks]

safe_sql(PHP 4 >= 4.3.0, PHP 5)safe_sql — Prepares a string for safe use in a SQL statementstring safe_sql ( string $string )Alters the string so that it is safe to use it in a mysql_query().This function can be used to make data safe before sending a query to MySQL. Parametersstring The string that is to be processed.Return ValuesReturns the processed string, or FALSE on error.Notes Note: A MySQL connection is required before using safe_sql() otherwise an error of level E_WARNING is generated, and FALSE is returned. Note: This function can make SQL Injection Attacks less vulnerable.

[boen_robot]

A link to the documentation page you got that from? A search on php.net doesn't lead to anything even close to that.

[Guest FirefoxRocks]

I didn't get that off of a documentation page from anywhere, but it's what the function does.

[boen_robot]

I didn't get that off of a documentation page from anywhere, but it's what the function does.

O.....K.... where did you got that from then? The functions couldn't have just "magically appeared"? The function has a definition, within a PHP file?!? If so, you should've said from the start that you do use a PHP library... whether it's your own one, or another one is irrelevant. On the other hand, if it's another one, the name of the library (if any) would be nice to know. Also, where did you get it from? It isn't bundled with PHP, so you must have installed something extra, ot at least, copy&paste-ed something. Edited July 24, 2009 by boen_robot

[Guest FirefoxRocks]

I define my own functions in a file which I include in all my files, I'm not using an external PHP library or anyways, and so far all my PHP code is hand-coded, nothing copy and pasted that I have no clue of.safe_sql() or safeSql() isn't one of my own functions though...

[Synook]

safe_sql() or safeSql() isn't one of my own functions though...

Then where are you getting it from?! It's not a built-in function, it's not one you wrote yourself, so you must have got it from somewhere! Where did you get that text that you quoted from?http://www.php.net/manual-lookup.php?pattern=safe_sql Edited July 25, 2009 by Synook

[Guest FirefoxRocks]

I found it...somewhere...:

function safeSql($str){$m=get_magic_quotes_gpc();if($m===1){$str=stripslashes($str);}$str=mysql_real_escape_string($str);return $str;}

There's a lot of other functions in here as well but I don't know how to use them and I did not download/write this file where I'm getting this code from.

[Synook]

So you did copy and paste! :)But anyway, you can see that the function includes mysql_real_escape_string() in the end.

[Guest FirefoxRocks]

No I did not copy and paste any PHP code. I did not create this file. It was never moved into my project files, but it is here for some reason. :S

[boen_robot]

I found it...somewhere...:

function safeSql($str){$m=get_magic_quotes_gpc();if($m===1){$str=stripslashes($str);}$str=mysql_real_escape_string($str);return $str;}

There's a lot of other functions in here as well but I don't know how to use them and I did not download/write this file where I'm getting this code from.

A file that contains function/class definitions and that you include in all other files is called "a *language* library". Again, whether it has a name, whether it's yours or someone else's is another question. So, you do use a PHP library.BTW, this function could be much more compact and secure:

function safeSql($str,$connection=null){if(get_magic_quotes_gpc()===1){$str=stripslashes($str);}return $connection===null?mysql_real_escape_string($str):mysql_real_escape_string($str,$connection);}

OK, for the sake of security, it's slightly longer, but removing the $connection feature would make it more compact for sure.For future's sake, avoid using functions with unknown origins or with unproven usefullness. Also, I'd personally negate magic quotes at the very start of the file, then assume they're off. This will guarantee that the code would work the same, regardless of the setting. Right now, if I do that AND use this function, I'd have two stripslashes() calls.

Edited July 25, 2009 by boen_robot

[Guest FirefoxRocks]

Well I did a search on my C: drive and I got 6 of these files called df.php and they have slight variations of each function but all of them are the same functions and they are found in the strangest places on the hard drive.But one of them did look like yours without the $connection variable actually:

function safe_sql($str){if(get_magic_quotes_gpc()===1){$str=stripslashes($str);}return mysql_real_escape_string($str);}

The weird thing is there's no license or anything on these files and I have no clue where they came from.

[boen_robot]

Well I did a search on my C: drive and I got 6 of these files called df.php and they have slight variations of each function but all of them are the same functions and they are found in the strangest places on the hard drive.But one of them did look like yours without the $connection variable actually:

function safe_sql($str){if(get_magic_quotes_gpc()===1){$str=stripslashes($str);}return mysql_real_escape_string($str);}

The weird thing is there's no license or anything on these files and I have no clue where they came from.

Is there another PHP developer in the household/work/wherever this PC is form? Have you bought/rented the computer from another fellow that (apparently) knows PHP?Honestly said, that's the first time I see anyone having PHP files with unknown origins on their own computer . And anyway, I'd suggest you delete all of them, unless perhaps they're used by an application which origins you DO know. Edited July 25, 2009 by boen_robot

[Guest FirefoxRocks]

Nope, my parents know nothing about programming, I tried teaching my mom a bit of HTML but she showed little interest.And I personally formatted the partition myself when I installed Windows 7. I find it strange that the file is located in C:\Users\<username>\Pictures\2009\ and C:\Windows\system32\drivers\ as well as a few other places where PHP files don't belong.

[justsomeguy]

So you've got PHP files scattered around your computer, you're the only one who uses the computer for PHP development, you have no idea who made the files or where they come from, but apparently you do know enough to be able to 1) use the functions in your PHP code (so apparently you do know enough about the files to know what functions they contain) and 2) show documentation for the functions inside the files (even though you seem to be reluctant to tell anyone where you got the documentation from).This isn't making sense. Are you bipolar, or schizophrenic, perhaps? If you're the only person who uses the computer for programming, maybe your other self did all of that.