Jelly and Custard

Variable Casting

December 21st, 2005

I thought I'd do a few small tutorials on data validation. Pretty much all websites now require some sort of user input, be it in the form of a newsletter or user registration, or a shopping cart. Its important that this data that is inputted is validated, else you'll find the wrong sort of data is inputted - either due to a malicious user, or a stupid one!

A lot of people get into PHP as its rather easy to code, but they overlook the most simple of input validation routines to ensure that the data coming from the end user matches what they expect. The golden rule of writing a PHP application is to never trust the user input, whether its come from a form via POST, the URL via GET or even a cookie.

There are a few things that even the most basic user can apply to their code in order to ensure some data integrity, of which variable casting is probably the easiest to apply. Take for example the following example:

SELECT * FROM users WHERE id = '$_GET[id]'

Now, if $_GET["id"] is set to '1; DELETE FROM users' that can cause for all of your user's data to be removed from the table. If you are using MySQL as your DB, then it will not allow you to make multiple SQL requests in one query - so the above wouldn't work, however, using another RDBMS such as PostgreSQL would result in problems being caused.

An easy way to overcome this is to cast the variable as an integer. As we are only expecting an integer for this variable, we can force PHP to only use the integer value (or '0' if no integer value is found):

Validation can also be extended to strings, using the ctype_* functions:

More information can be found in the PHP Manual.

Hopefully this has opened your eyes up a bit to the problems that can occur in a script and the holes that can be exposed. More to come soon!

 Add to del.icio.us    Digg this    Technorati

Related Posts:

• File Uploads
• Regular Expressions in PHP
• Email Header Injection in PHP

Entry Filed under: Input Validation