Lots of developers think the best way to prevent XSS and SQL injection attacks are by passing all user input through a filter function. If you’re one of these developers don’t worry, you’re still right. There is a better (less code and less CPU cycles) way to do this on certain user inputs though. Type casting to integers should be used on all user inputs that should be a numeric value. This ensures that a valid data type is being used and it automatically converts any strings to an integer. This effectively prevents any SQL injection or XSS attacks.
1 | $customer_id = (int) $_POST['customer_id']; |
This automatically prevents someone from being able to pass in something like:
1 | 1' OR 1='1 |
or
1 | window.location 'aol.evilcloneofaol.com' |
It should be noted that when casting a variable to an integer there are limitations to just how big that integer can be. On 32-bit systems the limit is 2,147,483,647 and on 64-bit systems the limit is 9,223,372,036,854,775,807. I’ve hit the limit on 32-bit systems, but never on a 64-bit. When the variable you are casting to an int is too large PHP will always just return the highest number it can. Leading to lots of confusion when trying to debug this error.
Related posts:
Tags: php, security, sql injection, type cast, xss
word