Page 1 of 1
user input - validating for positive unsigned integers only
Posted: Thu Oct 11, 2012 11:34 am
by KatChi
I created a function to verify user input to avoid injection. This input adds an item to a cart. Due to the way the catalog is set up, I am evaluating a 2D array. The interior arrays only contain one item each. The items contained in each interior array are what will be evaluated. That is where the user input is stored and it should only be positive unsigned integers or strings of integers.
My question is, can you see any exploitable weaknesses in this function?
Code: Select all
function validNum($array){
if (!empty($array)) {
foreach($array as $product){
if(!ctype_digit($product[0])){
return false;
}
else{
$product[0] = (int)$product[0];
}
return $array;
}
}
}
Thank you in advance for your consideration.
Re: user input - validating for positive unsigned integers o
Posted: Thu Oct 11, 2012 12:58 pm
by Christopher
Look ok, though your are using a foreach but only looping through once. Is that because you don't know the key? And you are assigning to $product but it appears to be a local variable?
Maybe something like:
Code: Select all
function validNum($array){
if (!empty($array)) {
$product = current($array);
if(!ctype_digit($product[0])){
return false;
} else{
return (int)$product[0];
}
}
// note: no return statement will return null
}
Re: user input - validating for positive unsigned integers o
Posted: Thu Oct 11, 2012 2:49 pm
by KatChi
Alright, I see what you are saying. I shifted some things around.
I am more concerned about the risk of injection than anything at this particular moment. I am still trouble shooting my code and am wondering if this method of checking it is sufficient to protect my client from a malicious attack from a particular user input field.
Code: Select all
function validNum($array){
if (!empty($array)) {
foreach($array as $product){
if(!ctype_digit($product[0])){
return FALSE;
}
}
return TRUE;
}
else {
return FALSE;
}
}
Re: user input - validating for positive unsigned integers o
Posted: Thu Oct 11, 2012 4:06 pm
by Christopher
You can do the same thing with regular expressions. I prefer them. You can easily check any set of characters you want to allow and all the check or just regex character sets.
Code: Select all
// validate character set
if (!preg_match('/[^0-9]/', $parameter)) {
echo 'valid';
} else {
echo 'invalid';
}
// filter value
$parameter = preg_replace('/[^0-9]/', '', $parameter);
Re: user input - validating for positive unsigned integers o
Posted: Thu Oct 11, 2012 5:47 pm
by requinix
Regular expressions are great and all but when there's a built-in function that does exactly what you need then it's better to use that. Regexes are expensive.
Re: user input - validating for positive unsigned integers o
Posted: Sat Oct 13, 2012 9:16 am
by McInfo
Also consider that the largest 32-bit unsigned integer is 4294967295 (10 characters), and the largest 64-bit unsigned integer is 18446744073709551615 (20 characters). (See also:
MySQL Integer Types)