Using Integers to Stop Hackers
When designing any web application, we need to write the code with hackers in mind. Any input we get from a form or a URL needs to be "sanitized" before we display it or use it in a SQL query. One simple but powerful technique is to use integers whenever possible. For example, in Joomla almost all database tables have an integer as the primary key. We also use integers to code for published state and other similar values; for example, where we have a small number of possible values.
When a value should be an integer, we can simply filter it or cast it to integer to eliminate any malicious code a hacker might try to sneak into that variable. For example, if we want to set a local variable based on an integer value in a form or URL, we can use something like this:
$id = JRequest::getInt('id');
This approach forces the value to be an integer. If we're using a variable in a query that we know should be an integer, we can use something like this:
$query->where('a.state = ' . (int) $published);
By forcing the value to be an integer, we filter out any unwanted code in our SQL query.