I’ve gotten a habit of filtering the user submitted variable through my int function

Question

0

Asked: May 26, 20262026-05-26T17:06:03+00:00 2026-05-26T17:06:03+00:00

I’ve gotten a habit of filtering the user submitted variable through my int function

0

I’ve gotten a habit of filtering the user submitted variable through my int function which makes sure it’s a number (if not returns 0) and not quoting the variable in mysql queries.

Is that bad practice? I think I decided to do this for performance reasons. Plus I’ve always thought that numbers shouldn’t be put in quotes.

Example:

if($perpage != $user['perpage']){
if($perpage == 50 || $perpage == 100 || $perpage == 200 ){
$DB->query("UPDATE users SET perpage=$perpage WHERE id=$user[id]", __FILE__, __LINE__);
}
}

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T17:06:04+00:00

aha! an interesting case here!

You are right in general. It is always better to treat numbers as numbers, not strings
- it makes your code more sane and consistent
- an strict_mode setting in mysql, which won’t allow you do disguise a number as a string, if turned on.
But your implementation in fact allows an injection! Let’s leave it for your homework to find it 🙂

Here is a reference for you, explaining this injection: http://php.net/language.types.type-juggling

so, I’d make your code like this

$perpage = intval($perpage);
if($perpage != $user['perpage'] && in_array($perpage,array(50,100,200) { 
  $DB->query("UPDATE users SET perpage=$perpage WHERE id=$user[id]"); 
}

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’ve gotten a habit of filtering the user submitted variable through my int function

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply