Page 2 of 2
Posted: Wed May 10, 2006 10:36 am
by Maugrim_The_Reaper
But since GET data is always a string, I don't see another option other than type casting if you want to keep things simple (= not using regex).
The simple option has baggage - see matthijs' example where a decimal value is passed. Yes, it will ensure an integer always exists - but it does so by "fixing" the data which alters the raw POST/GET data which in some cases we need to complete an in-depth validation procedure. Bad data is bad data, no matter how you disguise it... It shouldn't get used in any form as a rule of thumb.
Anyone know how the PHP Architect book addresses the stuff we've trashed out so far? I can't see Ilia recommended type casting as the best way to validate/filter numerical data without offering a few reasons where it's NOT such a good idea...
Posted: Wed May 10, 2006 10:59 am
by Oren
I never said it was a good way. It all depends on scottayy. He should decide how to treat the data, that's why I haven't post a solution to his problem. We need to let him decide first how to treat it. What would happen when the number is: 5.455... Does he want it to become 5 or maybe he wants it to print an error message?
Posted: Wed May 10, 2006 11:20 am
by Maugrim_The_Reaper
People are free to ignore advice, you know...
On numbers - the values passed by GET and POST are strings, it's how data is sent in a request (see a form submission in Live HTTP Header extension on Firefox and you see why it's a string).
is_numeric() and
ctype_digit() don't care about whether a variable is cast as integer, float or string so long as it spells a numerical value...
is_integer() is rarely seen in filtering logic for this reason.
Posted: Wed May 10, 2006 12:22 pm
by RobertGonzalez
Good to know. Thanks guys.
Posted: Wed May 10, 2006 3:38 pm
by s.dot
What I have been doing is this:
Code: Select all
$num = $_POST['num'];
if(is_numeric($num)){
$num = stripslashes($_POST['num']); // because magic quotes is on
}
I always expect whole numbers. But then again, that doesn't mean they will always be whole numbers. Thanks for the input guys. I'll just escape it because I know there's other characters besides ' and " that need to be escaped.
Posted: Wed May 10, 2006 3:58 pm
by Maugrim_The_Reaper
Should stripslashes() go before is_numeric? No difference for numbers! Just looks odd since slashes mutate data

.
Bear in mind is_numeric won't accept decimals (if you do anything with international support) using the comma convention typical on mainland Europe. It's an internal flaw in PHP not rectified by setting locales...
Posted: Thu May 11, 2006 5:24 am
by matthijs
One other example Ilia gives in his book is:
Code: Select all
if(($_GET['del'] = (int)$_GET['del'])) {
mysql_query("DELETE FROM users WHERE id= ". GET['del']);
}
Ben Ramsey advices in an PHP arch article (aug 2005) to use the ctype_digit() function if input variables (should) contain numeric values.
So, it's more complicated then it seems at first. What's clear to me though is that you'll have to really think well about exactly what data you expect, want and validate. And what each function does.
Is there already a totorial on this subject? (on these forums I mean) If not, seems like a good candidate for one to me, considering the confusion there (sometimes/often) is about what to use when and when not.
Posted: Thu May 11, 2006 6:11 am
by Maugrim_The_Reaper
The examples so far from the book seem to be missing the all important application context - if the data is corrupted it shouldn't be used, full stop. I just think fixing data and then using it is a mistake unless it fits the context and is an obvious user error of a minor nature...
It probably is a candidate for a good tutorial - want to write one up and submit?
Posted: Thu May 11, 2006 7:09 am
by matthijs
The examples so far from the book seem to be missing the all important application context
Yes, I agree with that. The examples themselves are perfectly clear. However, the why and when is not. (at least not at first).
want to write one up and submit?
I could do that and I could try. However, I'm not so sure I'm the right person to do that, considering my level of experience. I could try to put something together and let it be reviewed by the experts of course. I don't know what the policy is here.
Posted: Thu May 11, 2006 7:34 am
by Maugrim_The_Reaper
You can write up a tutorial and submit it to feyd - there's a Tutorial forum (non-public) where it can be peer reviewed and discussed. I have a tut in there at the moment awaiting final comments

.