Re: PHP filter function against SQL injections

jeffrey rivero wrote:
> sure you can then you would get an cast exception
> but you would have to know what you looking for ?

Please show me some code that, when casting something to an integer, 
yields a cast exception.  I doubt you could.  PHP is a loosely typed 
language, after all.

In fact, here are some tests of my own:

<?php
error_reporting(E_ALL);
echo intval(array(5,2));
?>

That yields no exceptions and outputs a 1.  Whether or not it you 
believe it ought to output a 1 or not is also beside the point - the 
point is that it *does* cast to an integer.

Here's another test.

<?php
error_reporting(E_ALL);
echo intval("zzz");
?>

That yields 0.  To understand why, read this:

http://www.php.net/manual/en/language.types.string.php#language.types.string.conversion

We don't have to test any other types because, unless you're doing 
something like unserialize, you're not going to be able to get those 
types via GET / POST / COOKIE.  Everything returned via any of those is 
either a string or an array.  I'd post more code demonstrating this, but 
this email is long enough.