I’ve been working with PHP and MySQL for a while and I am still always learning things (hopefully faster than I forget them )
For whatever reason, I had thought that if a field was an Integer type, and an attempt to enter a non-integer happened, the query would fail.
Not so, it was pointed out to me that MySQL would “coerce” a string into the field! eg. empty string → 0
A lot can be done to help things along. eg.
instead of using a text input which would take a string, a drop-down select can sometimes be used.
intstead of a checkbox that might remain unchecked, a radio so one has to be checked.
Even toss in a bit of JavaScript to bring attention to problems before the form gets submitted.
Good Enough? Maybe for the honest majority, But as devs we are well aware that such measures can easily be got around if one wanted to.
Maybe for some things it isn’t as important.
Does it really matter if I enter “Pudding Lane” as my address into a “required” field because I don’t want to give it?
Does it matter if I change my purchase total from $99.99 to -$500.00 " lol cash please
So a lot often needs to be dealt with server-side. Maybe I don’t care so much that someone might enter a false address. But I might care very much that it not exceed 100 characters in length.
I imagine that for the most efficient control, regex should be used. eg.
instead of is_numeric($blah)
preg_match("/^[\d]{2,4}$/", $blah)
But that would likely be over-kill for something used to only SELECT a pages content. Page doesn’t exist? give them a default page. problem solved.
If I had mistakenly made an “age” field VARCHAR() expecting users to enter digits, I would have a problem if they entered “Twenty seven” instead of “27” Their fault? Nope, mine.
Credit Card numbers? No thanks, I don’t want to get any where near them, thank you very much.