User Input Validation

I will admit that I am a bit lazy about user input validation. This stems from the fact that:

  1. Most of my development is for intranet use
  2. I generally use Oracle for a back end, and tend to pass parameters as bind variables

The intranet development means that my users are more interested in using the web page to get their job accomplished than they are in hacking the page. A PHP Fatal error message is more likly to result in a support call than in lost business. Also, it is much easier to track down who is causing problems on a corporate network than on the internet, and probably the repercusions would be stronger as well.

True database bind variables also protect you from SQL injection. The problem I have is that perhaps I rely on this feature a bit too much, as it creeps into my writing of articles, where I use MySQL or Postgres, and the ADOdb library is just emulating bind variables with string substitution.

Which leads me to the gist of this post: easy data scrubbing with type casting. Here is some example code from an article I am writing, where I am able to assume the bug_id will be an integer.


 * validate a user passed parameter is an actual bug id
 * @param string $parm the index of the $_GET request array to check
 * @return mixed  the integer bug_id if found, otherwise false
function check_passed_bug( $parm ) {
    global $conn;

//not indented because the end of the heredoc must be the first char
$sql = < <<EOS
FROM `bugdb`
WHERE `id` = ?

    if (array_key_exists($parm, $_GET))  {
         //here is the type cast on the input
        $bug_id = (int)$_GET[$parm];
        $rs = $conn->Execute($sql, array($bug_id));
        if ($rs && !$rs->EOF) {
            $row = $rs->fetchRow();
            if (1 == $row['cnt']) {
                //if found return the id
                return (int)$row['id']; 
    //otherwise return false
    return false; 

The type cast certainly is much less expensive than something like regex based validation. So what is the verdict–Elegant solution or cheap hack, frought with SQL injection danger?