Well, you should still escape any strings you're getting from a web page so
you can ensure you're not subject to a SQL insert attack, even if you're
expecting integers.
Peter Darley

Well, your framework should do this for you :

"integer" specified in your database object class description
"%d" appears in in your generated queries (or you put it in your hand written queries)
=> if the parameter is not an integer, an exception is thrown, then catched, then an error page is displayed...

        Or, just casting to int should throw an exception...

Forms should be validated, but hidden parameters in links are OK imho to display an error page if they are incorrect, after all, if the user edits the get or post parameters, well...

---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

Reply via email to