Home page logo
/

basics logo Security Basics mailing list archives

Re: PHP filter function against SQL injections
From: Terra Frost <terrafrost () gmail com>
Date: Fri, 09 Feb 2007 09:39:28 -0600

jeffrey rivero wrote:
sure you can then you would get an cast exception
but you would have to know what you looking for ?

Please show me some code that, when casting something to an integer, yields a cast exception. I doubt you could. PHP is a loosely typed language, after all.

In fact, here are some tests of my own:

<?php
error_reporting(E_ALL);
echo intval(array(5,2));
?>

That yields no exceptions and outputs a 1. Whether or not it you believe it ought to output a 1 or not is also beside the point - the point is that it *does* cast to an integer.

Here's another test.

<?php
error_reporting(E_ALL);
echo intval("zzz");
?>

That yields 0.  To understand why, read this:

http://www.php.net/manual/en/language.types.string.php#language.types.string.conversion

We don't have to test any other types because, unless you're doing something like unserialize, you're not going to be able to get those types via GET / POST / COOKIE. Everything returned via any of those is either a string or an array. I'd post more code demonstrating this, but this email is long enough.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]