son Posted July 22, 2011 Share Posted July 22, 2011 I think that I have been coding incorrectly for many years with regard to integers and I just stubled upon this. I use: if (!isset($_POST['webStyle']) OR empty($_POST['webStyle'])) { $webStyle = FALSE; $errors['webStyle'] = 'Colour'; } else { $webStyle = escape_data($_POST['webStyle']); } something like this when I offer selections on web form that feed into table column that holds integer. Having had a tiny issue and using var_dump it became now apparent that I treat those integer values like strings. Do I need to code some other special precausion into the code or could I simply set $webStyle = $_POST['webStyle'] for example?Son Link to comment Share on other sites More sharing options...
Ingolme Posted July 22, 2011 Share Posted July 22, 2011 Everything that's in the $_POST array is a string. You can set it to integer using the intval() function. Link to comment Share on other sites More sharing options...
son Posted July 22, 2011 Author Share Posted July 22, 2011 Everything that's in the $_POST array is a string. You can set it to integer using the intval() function.Is it good practice to use intval() function before inserting into db (instead of escaping)? Just want to make sure I do not continue with mistakes and learn a better method of coding safely...Son Link to comment Share on other sites More sharing options...
Ingolme Posted July 22, 2011 Share Posted July 22, 2011 Is it good practice to use intval() function before inserting into db (instead of escaping)? Just want to make sure I do not continue with mistakes and learn a better method of coding safely...SonIf the value is supposed to be an integer, yes. I use intval() on my integers, floatval() on my floats. If the value is a string then I use mysql_real_escape_string(). Link to comment Share on other sites More sharing options...
son Posted July 23, 2011 Author Share Posted July 23, 2011 If the value is supposed to be an integer, yes. I use intval() on my integers, floatval() on my floats. If the value is a string then I use mysql_real_escape_string().Thanks Ingolme. Just one more question: what would happen if you didn't? I mean what could really happen? I always have used mysql_real_escape_string(), but actually only because I was told to do so...Son Link to comment Share on other sites More sharing options...
Ingolme Posted July 23, 2011 Share Posted July 23, 2011 Thanks Ingolme. Just one more question: what would happen if you didn't? I mean what could really happen? I always have used mysql_real_escape_string(), but actually only because I was told to do so...SonPeople can modify your query to do something that it shouldn't.Imagine you have this querySELECT * FROM table WHERE field='$field' If somebody puts an apostrophe in $field the query could end up looking like this after being parsed: SELECT * FROM table WHERE field='O'Reilly' The apostrophe closes the string earlier than it should, causing the query to be wrong and causing an error to be sent. Link to comment Share on other sites More sharing options...
son Posted August 4, 2011 Author Share Posted August 4, 2011 People can modify your query to do something that it shouldn't.Imagine you have this querySELECT * FROM table WHERE field='$field' If somebody puts an apostrophe in $field the query could end up looking like this after being parsed: SELECT * FROM table WHERE field='O'Reilly' The apostrophe closes the string earlier than it should, causing the query to be wrong and causing an error to be sent. thanks for clarification Ingolme...Son Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.