Comments on: Type Casting In PHP – What’s the Point?

By: Protection against SQL Injection using PDO and Zend Framework – part 2 » DotKernel

Fri, 18 Jun 2010 12:37:44 +0000

[...] A short tip, you can use cast type to avoid SQL Injection in WHERE clause where is possible. $sql= 'SELECT * [...]

By: rich97

rich97 — Sat, 24 Apr 2010 02:29:03 +0000

I use typecasting all of the time. I think it can be quite a nice way to slim down your, code in some cases. For instance:

if (!is_array($data)) {
$data = array($data);
}
//foreach over $data

With typecasting I can do this:

$data = (array) $data;
//foreach over $data

I also use it regularly to ensure that the correct type is returned by a method.

Please correct me if you think this is wrong.

By: Chris

Chris — Wed, 24 Mar 2010 11:10:58 +0000

Eugene,

The reason why is you have to force the variable to become an integer for security.

Consider a page which uses a GET request:

product.php?id=123

If I’m a nasty hacker, I can potentially do this:

product.php?id=’ or ‘1′ = ‘1

Which could turn (behind the scenes) into

“SELECT * FROM admin_users WHERE username = ‘admin’ and password = ‘xxx’ OR ‘1′ = ‘1′;”

PHP won’t automatically convert my GET variable into an integer. However, if I force it to, by casting, the string: ‘ or ‘1′ = ‘1 will never be passed to my database, but the string 123 will be passed because it can be cast.

Hope that explains it.

By: Eugene

Eugene — Tue, 08 Dec 2009 07:04:25 +0000

Thats all good, but has anyone ever notice that php pretty much sorts the tyes out for herself.
The following 3 all return the same result (10.24) …

echo ((int)’1024′) / 100;
echo ‘1024′ / 100;
echo ‘1024′ / ‘100′;

So why?

By: David Konsumer

David Konsumer — Tue, 06 Oct 2009 22:22:30 +0000

Alex, hans: if you make a query function, and keep your queries as strings, you can automate it, and use %s, without SQL injection.

By: Alex

Alex — Wed, 28 Jan 2009 08:43:05 +0000

I agree with Hans. Why use mysql_real_escape_string if you know that it should be an integer?? Casting (int) will do.

It is not only an overkill but also contributing to the global warming. I mean performing senseless computations. Besides calling a function takes time, while (int) is really fast.

By: Hans

Hans — Mon, 08 Dec 2008 18:16:26 +0000

Actually the best way would be:
$SQL = ‘SELECT * FROM table WHERE id = ‘ . (int) $_POST['input'];
you do not need mysql_real_escape_string when you use (int), because integers cannot be used for SQL injections.

to computerzworld:
if implode and (string) don’t do what you want then use foreach

By: Briddo

Briddo — Fri, 05 Dec 2008 12:33:57 +0000

computerzworld

serialize(array) will turn your array into a string.
unserialize(string) will turn it back into an array.

Or >>

$string = “”;
foreach ($array as $key => $value):
$string .= $value . ‘ ‘;
endforeach;

By: computerzworld

computerzworld — Mon, 25 Aug 2008 09:12:57 +0000

Hi…. I want to convert my array into string using typecasting without using implode. I tried with (string)Array. But it didn’t worked. How is it possible to convert array to string using typecasting?

By: Jack B

Jack B — Fri, 27 Jun 2008 17:47:05 +0000

Wouldn’t it be just as secure to use the following:

$id = number_format($_POST['id'], 0, “”, “”);
$sql = “SELECT * FROM table WHERE id = $id”;

This way, if the posted value is not a integer, 0 is returned at the query doesn’t fail?

By: David Konsumer

David Konsumer — Sat, 29 Sep 2007 04:04:51 +0000

Bah, bad formatting.

sprintf(‘SELECT * FROM table WHERE id = %d’, mysql_real_escape_string($_POST['input']));

By: David Konsumer

David Konsumer — Sat, 29 Sep 2007 04:03:31 +0000

I use sprintf for the same purpose, with the plus side being that you can keep all your queries in a config file.

By: Jim Kane

Jim Kane — Fri, 28 Sep 2007 13:51:05 +0000

Great post, Ned! That is your name from now on.