Home > Articles > Web Development

  • Print
  • + Share This
From the author of Using Integers to Stop Hackers

Using Integers to Stop Hackers

When designing any web application, we need to write the code with hackers in mind. Any input we get from a form or a URL needs to be "sanitized" before we display it or use it in a SQL query. One simple but powerful technique is to use integers whenever possible. For example, in Joomla almost all database tables have an integer as the primary key. We also use integers to code for published state and other similar values; for example, where we have a small number of possible values.

When a value should be an integer, we can simply filter it or cast it to integer to eliminate any malicious code a hacker might try to sneak into that variable. For example, if we want to set a local variable based on an integer value in a form or URL, we can use something like this:

$id = JRequest::getInt('id');

This approach forces the value to be an integer. If we're using a variable in a query that we know should be an integer, we can use something like this:

$query->where('a.state = ' . (int) $published);

By forcing the value to be an integer, we filter out any unwanted code in our SQL query.

  • + Share This
  • 🔖 Save To Your Account