Jens
Jens

Reputation: 1315

Micro-optimization: Using typecast as means of validation

I was doing some benchmarking experiments in micro-optimization and I fell upon the idea of testing type casting versus functions that check for specific data type. Specifically (int) vs is_numeric(). My theoretical stand-point is that if I have already ensured that my variable IS indeed an integer, I would have no need to actually check it.

$a = (int) $_POST['a'];

Versus:

$v = $_POST['a']; if (is_numeric($v)){ $a = $v; }

The first of the two examples would most of the time execute around 3-4 times faster than the control structure.

Does anybody have opinions on "best practice" on this matter? Is it too sloppy or risky for future development to use typecasting as validation?

Upvotes: 1

Views: 292

Answers (3)

Emanuel
Emanuel

Reputation: 881

If it's your script generating the POST input 'a', and it never will do anything out of the ordinary by itself, I'd say only casting is sufficient and usually preferred.

Most users have no idea about how information is transferred over the Internet, and they are unlikely to alter your forms or your JavaScript by accident. The people who DO know about how POSTS and forms and such things work know what they are doing when they manipulate the data sent. If their experiments will make your site produce weird results, I'd say that's no problem as long as the results are useless (harmless).

If 'a' would be the ID of a row in a MySQL table, then if they provide a some weird values, the worst thing that could happen is that they get to see another row, or no row at all. If there are rows, however, which not everybody are allowed to see, then there should be some kind of authentication procedure which should kick in and prevent access to the row.

Upvotes: 0

deceze
deceze

Reputation: 522125

Testing whether something is an int and blindly casting any value to an int are two different things. Use whichever is more appropriate for the situation. If you need to validate user input and reject invalid values, test. If you just need any integer, even if that value has nothing to do with the original user input, you may as well cast. The difference in performance should be so minimal as to be irrelevant vis-à-vis the difference in functionality.

Upvotes: 1

GordonM
GordonM

Reputation: 31740

It's not a bad idea, but not for the reasons you think. It guarantees that what you get from the form is always in the data format you're expecting. This means (for ints, floats and bools at any rate, strings are another matter) that there's no way to carry out an SQL injection attack through fields protected in such a manner. This doesn't mean for sure that the data will be valid though (negative values where only positive values would be valid and such like), so you'll probably still have to do further validation on top of casting.

As far as performance goes, you're basically talking about a micro-optimization. Never worry about such things unless you can prove without question that there's a real need and not doing so will hurt the performance of your application in a meaningful way.

Upvotes: 0

Related Questions