A very nice summary, Zaphod!
Quote:
- Check the data type is as expected. Functions include:
+ Is_string()
+ Is_numeric() // will also return true if data is a string containing a number
+ Is_float() // remember data passed in by form is typed as string
+ Is_array()
+ Is_object()
+ Ctype functions permit more specific screening of input (see PHP manual).
Properly casting the variables is important for many reasons, just be aware
of your options and the impact on performance.
Similarly, I feel if the data and variables are handled properly, the numeric values in sql strings don't need quotes, which also improves performance of the database. By proper handling I mean -
* The variable has been declared and initialized
* The input has been sanitized
* The input has been encoded, if appropriate
* The input has been validated, and
* The input has been cast as the expected type (int, float, string, array)
In fact, using string values in the query when the field type is numeric can lead to different results -
http://dev.mysql.com/doc/refman/5.1/en/type-conversion.html
This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=618&post_id=17307