Just as the title states. Is it a standard procedure/practice to escape number inputs?
I know text fields should be escaped, but i'm wondering if I need to escape numbers.
Asked
Active
Viewed 536 times
0
-
No. you should always use prepared statements. Also - you should NEVER EVER trust user input – Alon Eitan May 30 '16 at 19:15
-
1basic rule of thumb: if you're allowing "outside" data into your query strings, then you should be escaping. just because a field might be numeric-only doesn't mean it's any less dangerous than a text field. And that means you should be using prepared statements, so you don't even have to THINK about escaping - the prepare stuff takes care of all that for you. – Marc B May 30 '16 at 19:17
-
Ok thanks guys! I really need to teach myself prepared statements soon. Everywhere I look it seems like that has become the new thing to do. I'm pretty much self taught and it everything I learn seems to change in a year or so. lol – DMort May 30 '16 at 19:19
-
@MortHub That's because when you're using prepared statements you don't put the values directly in the query, instead you put variables, and bind the values to those variables. This is a high priority thing to learn if you still escaping the values and put them in the query – Alon Eitan May 30 '16 at 19:24
-
It will definitely be my next priority. I appreciate the clarification. Thanks for your time. – DMort May 30 '16 at 19:28
1 Answers
1
You should use Prepared Statement. But if you don't wish to do that, at least cast some data type, for example:
<?php
$myVar = (int)$_POST['user_age'];
$myVar = (float)$_POST['user_salary'];
Felippe Duarte
- 14,901
- 2
- 25
- 29