Security Basics mailing list archives
Re: PHP filter function against SQL injections
From: Terra Frost <terrafrost () gmail com>
Date: Fri, 09 Feb 2007 09:39:28 -0600
jeffrey rivero wrote:
sure you can then you would get an cast exception but you would have to know what you looking for ?
Please show me some code that, when casting something to an integer, yields a cast exception. I doubt you could. PHP is a loosely typed language, after all.
In fact, here are some tests of my own: <?php error_reporting(E_ALL); echo intval(array(5,2)); ?>That yields no exceptions and outputs a 1. Whether or not it you believe it ought to output a 1 or not is also beside the point - the point is that it *does* cast to an integer.
Here's another test. <?php error_reporting(E_ALL); echo intval("zzz"); ?> That yields 0. To understand why, read this: http://www.php.net/manual/en/language.types.string.php#language.types.string.conversionWe don't have to test any other types because, unless you're doing something like unserialize, you're not going to be able to get those types via GET / POST / COOKIE. Everything returned via any of those is either a string or an array. I'd post more code demonstrating this, but this email is long enough.
Current thread:
- PHP filter function against SQL injections Kellox (Feb 07)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 07)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- <Possible follow-ups>
- FW: PHP filter function against SQL injections kevin fielder (Feb 08)
- Re: PHP filter function against SQL injections Henry Troup (Feb 12)
- Re: PHP filter function against SQL injections Henry Troup (Feb 13)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)
- RE: PHP filter function against SQL injections Dan Anderson (Feb 19)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)
- Re: Re: PHP filter function against SQL injections ianbow (Feb 14)