My Blog

Lots of developers think the best way to prevent XSS and SQL injection attacks are by passing all user input through a filter function. If you’re one of these developers don’t worry, you’re still right. There is a better (less code and less CPU cycles) way to do this on certain user inputs though. Type casting to integers should be used on all user inputs that should be a numeric value. This ensures that a valid data type is being used and it automatically converts any strings to an integer. This effectively prevents any SQL injection or XSS attacks.

1

$customer_id = (int) $_POST['customer_id'];

This automatically prevents someone from being able to pass in something like:

1

1' OR 1='1

or

1

window.location 'aol.evilcloneofaol.com'

Tags: security, sql injection, type cast, xss

This entry was posted on Sunday, March 14th, 2010 at 4:34 am and is filed under php. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.