2011-09-17

Avoiding injections

Very fast and useful way, how to avoid different injections in websites - if you know what type of variable can be.
For example - if you have any ID`s or other values which can be only integers - in the script you can always be sure that after such validation it will always be an integer just writing (int) before the variable - like -
\$variable = (int) \$_GET['variable'];
Another example - if you have variable which could always be date - you could pass it as a string and build a date object from it
\$date=\$_GET['date'];
\$dateObj = new DateTime(\$date);
//if you need to get back to string in any case
\$dateString = \$date->format("Y-m-d") //or other format
Dealing with the float type it is very similar like integer type. But it is always necessary to remember - what is the decimal seperator of the host and decimal seperator in your country. In my case, I have to remember, that the host`s decimal seperator is dot, but usually people in Latvia are using comma. So, I have to parse the given "float string", and replace comma with dot, if there`s any.

\$value=(float)str_replace(",",".",\$value);