Is (int)$_POST['post_id'] really safe? Won't it allow negative integers?


I think we all have an idea about what you mean by "safe", but you may want to clarify safe for what.

Written by deceze

Accepted Answer

Assuming you mean safe in terms of SQL injection or XSS attacks, then probably yes. Casting to an int only makes sure the value is an integer. An integer is not usually dangerous in any context. It does not guarantee the safety of the integer's value though. It may be 0, which may or may not have a special meaning in your code, for example when comparing to false. Or it may be negative, which, again, may or may not have any side effects in your code.

"Safety" isn't an absolute thing. The string "1 = 1; DROP TABLE users" by itself is pretty safe, too. It just depends on the context you're using it in. Just the same, a 0 is perfectly safe until your code includes if (!$number) deleteAllUsers();.

Written by deceze
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the community.
It is licensed under cc-wiki