Cast a value as an integer before using add_option, add_post_meta

Viewing 2 replies - 1 through 2 (of 2 total)

  • Yes, casting to a number-type will prevent the variable from containing malicious, potentially sql-injecting, code. All user input should be sanitized before going into the database.

    Thread Starter somtam

    (@somtam)

    Hello Daniel,
    thanks for reply.

    I understand and I am agree about validating and sanitizing the data.
    But I don’t see a security reason to cast the string to a number.
    I mean if it is only for validating, of course, you can check with is_numeric.
    And then, when you get the data from the db, if you need it to be a int data type, then you can cast it with intval.
    I am saying that because the db meta_value column is a longtext type.
    But I am asking this because I don’t know if there are other reasons more than validating the input.

    Thanks for helping

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Cast a value as an integer before using add_option, add_post_meta’ is closed to new replies.

Tags