User Input Validation
I will admit that I am a bit lazy about user input validation. This stems from the fact that:
- Most of my development is for intranet use
- I generally use Oracle for a back end, and tend to pass parameters as bind variables
The intranet development means that my users are more interested in using the web page to get their job accomplished than they are in hacking the page. A PHP Fatal error message is more likly to result in a support call than in lost business. Also, it is much easier to track down who is causing problems on a corporate network than on the internet, and probably the repercusions would be stronger as well.
True database bind variables also protect you from SQL injection. The problem I have is that perhaps I rely on this feature a bit too much, as it creeps into my writing of articles, where I use MySQL or Postgres, and the ADOdb library is just emulating bind variables with string substitution.
Which leads me to the gist of this post: easy data scrubbing with type casting. Here is some example code from an article I am writing, where I am able to assume the bug_id will be an integer.
<?php
/**
* validate a user passed parameter is an actual bug id
* @param string $parm the index of the $_GET request array to check
* @return mixed the integer bug_id if found, otherwise false
*/
function check_passed_bug( $parm ) {
global $conn;
//not indented because the end of the heredoc must be the first char
$sql = < <<EOS
SELECT COUNT( 1 ) AS cnt,
`id`
FROM `bugdb`
WHERE `id` = ?
GROUP BY `id`
EOS;
if (array_key_exists($parm, $_GET)) {
//here is the type cast on the input
$bug_id = (int)$_GET[$parm];
$rs = $conn->Execute($sql, array($bug_id));
if ($rs && !$rs->EOF) {
$row = $rs->fetchRow();
if (1 == $row['cnt']) {
//if found return the id
return (int)$row['id'];
}
}
}
//otherwise return false
return false;
}</>
?>
The type cast certainly is much less expensive than something like regex based validation. So what is the verdict–Elegant solution or cheap hack, frought with SQL injection danger?
I prefer regex filtering of request vars because it can handle most situations which keeps the code consistant. Plusm you can apply multiple filters at a time by passing arrays of regex’s. As for the expense, it’s not like putting a regex in a loop, there are usually very few request vars to filter.
Why not just use intval()?
To save on typing I guess. As far as I know, there is not functional difference between:
$bug_id = intval($_GET[$parm]);and
$bug_id = (int)$_GET[$parm];I agree that in you