Hi Andrea, On Fri, Nov 21, 2014 at 11:06 AM, Andrea Faulds <a...@ajf.me> wrote:
> Ideally, usage of these functions should be accompanied by some sort of > validation logic if necessary for the application. They aren’t validation > functions in themselves, they just prevent certain conversions that don’t > make sense. Say someone fails to do proper validation and does this: > > $user = User::get((int)$_GET[‘id’]); > > With this code, absolutely anything could be passed for “id” in the URL > parameter and it’d be converted to a valid integer, transforming garbage > into apparently valid values. > > On the other hand, say they did this: > > $user = User::get(to_int($_GET[‘id’])); > > If I pass something that is not a number (like “foobar”), it would throw > an exception. > This is good use case. IMHO. PHP should provide easy API by default for more secure application. Parameters sent from client are validated on client with modern web apps. There are number of cases that validating as int/etc is enough. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
