user input - validating for positive unsigned integers only

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
KatChi
Forum Newbie
Posts: 6
Joined: Wed Oct 10, 2012 4:00 pm

user input - validating for positive unsigned integers only

Post by KatChi »

I created a function to verify user input to avoid injection. This input adds an item to a cart. Due to the way the catalog is set up, I am evaluating a 2D array. The interior arrays only contain one item each. The items contained in each interior array are what will be evaluated. That is where the user input is stored and it should only be positive unsigned integers or strings of integers.

My question is, can you see any exploitable weaknesses in this function?

Code: Select all

        function validNum($array){
		if (!empty($array)) {
			foreach($array as $product){
				if(!ctype_digit($product[0])){
					return false;
				}
				else{
					$product[0] = (int)$product[0];
					
				}
				return $array;
			}
		}
	}
        
Thank you in advance for your consideration.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: user input - validating for positive unsigned integers o

Post by Christopher »

Look ok, though your are using a foreach but only looping through once. Is that because you don't know the key? And you are assigning to $product but it appears to be a local variable?

Maybe something like:

Code: Select all

 function validNum($array){
                if (!empty($array)) {
                        $product = current($array);
                        if(!ctype_digit($product[0])){
                              return false;
                        } else{
                              return (int)$product[0];
                        }
                }
// note: no return statement will return null
        }
(#10850)
KatChi
Forum Newbie
Posts: 6
Joined: Wed Oct 10, 2012 4:00 pm

Re: user input - validating for positive unsigned integers o

Post by KatChi »

Alright, I see what you are saying. I shifted some things around.

I am more concerned about the risk of injection than anything at this particular moment. I am still trouble shooting my code and am wondering if this method of checking it is sufficient to protect my client from a malicious attack from a particular user input field.

Code: Select all

        function validNum($array){
		if (!empty($array)) {
			foreach($array as $product){
				if(!ctype_digit($product[0])){
					return FALSE;
				}				
			}
			return TRUE;
		}
		else {
			return FALSE;
		}
	}
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: user input - validating for positive unsigned integers o

Post by Christopher »

You can do the same thing with regular expressions. I prefer them. You can easily check any set of characters you want to allow and all the check or just regex character sets.

Code: Select all

// validate character set
if (!preg_match('/[^0-9]/', $parameter)) {
	echo 'valid';
} else {
	echo 'invalid';
}

// filter value
$parameter = preg_replace('/[^0-9]/', '', $parameter);
(#10850)
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: user input - validating for positive unsigned integers o

Post by requinix »

Regular expressions are great and all but when there's a built-in function that does exactly what you need then it's better to use that. Regexes are expensive.
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: user input - validating for positive unsigned integers o

Post by McInfo »

Also consider that the largest 32-bit unsigned integer is 4294967295 (10 characters), and the largest 64-bit unsigned integer is 18446744073709551615 (20 characters). (See also: MySQL Integer Types)
Post Reply