Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP filter function against SQL injections

From: Terra Frost <terrafrost () gmail com>
Date: Fri, 09 Feb 2007 09:39:28 -0600
jeffrey rivero wrote:

sure you can then you would get an cast exception
but you would have to know what you looking for ?
Please show me some code that, when casting something to an integer, yields a cast exception. I doubt you could. PHP is a loosely typed language, after all. 

In fact, here are some tests of my own:

<?php
error_reporting(E_ALL);
echo intval(array(5,2));
?>
That yields no exceptions and outputs a 1. Whether or not it you believe it ought to output a 1 or not is also beside the point - the point is that it *does* cast to an integer. 

Here's another test.

<?php
error_reporting(E_ALL);
echo intval("zzz");
?>

That yields 0.  To understand why, read this:

http://www.php.net/manual/en/language.types.string.php#language.types.string.conversion
We don't have to test any other types because, unless you're doing something like unserialize, you're not going to be able to get those types via GET / POST / COOKIE. Everything returned via any of those is either a string or an array. I'd post more code demonstrating this, but this email is long enough.
Previous By Date Next
Previous By Thread Next

Current thread: