PHP Security - (int) vs FILTER_VALIDATE_INT
The difference is that a cast to int
will always get you an int
, which may or may not be the original value. E.g. (int)'foobar'
results in the int
0
. This makes it safe for most SQL purposes, but has nothing to do with the original value, and you won't even know it.
filter_var
with FILTER_VALIDATE_INT
tells you whether the value is an int
, based on which you can make the decision to use it in an SQL query or display an error message to the user.
<input type="text" name="param"></input>$price = filter_input(INPUT_POST, 'param', FILTER_VALIDATE_INT);if ($price !== false) {print " a number."; //works when value is number}if(is_int($_POST['param'])){ print "is number."; //don't works when value is number}
Please try test with when value is number .