2011-09-17

Avoiding injections

Very fast and useful way, how to avoid different injections in websites - if you know what type of variable can be.
For example - if you have any ID`s or other values which can be only integers - in the script you can always be sure that after such validation it will always be an integer just writing (int) before the variable - like -
$variable = (int) $_GET['variable'];
 Another example - if you have variable which could always be date - you could pass it as a string and build a date object from it
$date=$_GET['date'];
$dateObj = new DateTime($date);
//if you need to get back to string in any case
$dateString = $date->format("Y-m-d") //or other format
Dealing with the float type it is very similar like integer type. But it is always necessary to remember - what is the decimal seperator of the host and decimal seperator in your country. In my case, I have to remember, that the host`s decimal seperator is dot, but usually people in Latvia are using comma. So, I have to parse the given "float string", and replace comma with dot, if there`s any.

$value=(float)str_replace(",",".",$value);

Nav komentāru:

Komentāra publicēšana