PHP安全 - (int)vs FILTER_VALIDATE_INT [英] PHP Security - (int) vs FILTER_VALIDATE_INT
问题描述
我的问题是从网站获取整数值,无论是从用户还是从Web应用程序生成,并通过查询字符串传递。
值(整数)可能会显示或在mysql查询中使用。
我试图构造最好的安全方法。
有鉴于此,简单地使用
$ myNum =(int)$ _ GET ['num'];
或
if(filter_var($ _GET ['num'],FILTER_VALIDATE_INT))$ myNum = $ _GET ['num'];
另外,请解释一下使用(int) code>和
FILTER_VALIDATE_INT
转换为 int
总是会得到一个 int
,这可能是也可能不是原始值。例如。 (int)'foobar'
结果在 int
0
。这对于大多数SQL目的来说是安全的,但与原始值无关,甚至不知道它。
filter_var 与
FILTER_VALIDATE_INT
告诉你该值是否为 int
,基于此,您可以决定在SQL查询中使用它,或向用户显示错误消息。
I recently was told there is FILTER_VALIDATE_INT which is great by the way.
My question is in terms of taking an integer value from the website whether it maybe from user or generated from the web application, and passed via query string.
The value (integer) may be displayed or used in mysql query.
I am trying to structure the best possible security method for this.
With that in mind, is it safe to simply use
$myNum = (int)$_GET['num'];
Or
if (filter_var($_GET['num'], FILTER_VALIDATE_INT)) $myNum = $_GET['num'];
Also, please explain what is the difference between using (int)
and FILTER_VALIDATE_INT
The difference is that a cast to int
will always get you an int
, which may or may not be the original value. E.g. (int)'foobar'
results in the int
0
. This makes it safe for most SQL purposes, but has nothing to do with the original value, and you won't even know it.
filter_var
with FILTER_VALIDATE_INT
tells you whether the value is an int
, based on which you can make the decision to use it in an SQL query or display an error message to the user.
这篇关于PHP安全 - (int)vs FILTER_VALIDATE_INT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!