Re: [PHP-DB] Is this redundant? {OT}
Robin Kopetzky wrote: Good afternoon. I found this code in a program I'm renovating and think this is very redundant. Also, it does slow queries down while doing all of the conversions. prod_id in the mysql database is declared an integer. SQL above where prod_id = ' . (int)$prod_id . ' and SQL below Question: since $prod_is is already an integer, why would someone convert it into an integer, then convert it into a string to later have mysql convert it back into an integer?? Could someone shed some light on the intent behind this weird code?? This is most likely a security measure and not redundant at all. Even if someone tries to inject malicious SQL into $prod_id, this code will cast it as an integer, discarding any non-numeric characters. For example, if $prod_id is 42; drop database foo;, that would be very dangerous. With the (int) cast, $prod_id will simply be cast to the integer 42. A good idea in my view. --Dave -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Is this redundant? {OT}
Robin Kopetzky wrote: Good afternoon. I found this code in a program I'm renovating and think this is very redundant. Also, it does slow queries down while doing all of the conversions. prod_id in the mysql database is declared an integer. SQL above where prod_id = ' . (int)$prod_id . ' and SQL below Question: since $prod_is is already an integer, why would someone convert it into an integer, then convert it into a string to later have mysql convert it back into an integer?? Could someone shed some light on the intent behind this weird code?? How do you KNOW that $prod_id is an integer? If register_globals is ON and it's coming from user input, then you don't. The only part that's redundant is including the single quotes in the SQL statement for an integer. where prod_id = . (int)$prod_id . and would be more efficient. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
