Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
But since GET data is always a string, I don't see another option other than type casting if you want to keep things simple (= not using regex).
The simple option has baggage - see matthijs' example where a decimal value is passed. Yes, it will ensure an integer always exists - but it does so by "fixing" the data which alters the raw POST/GET data which in some cases we need to complete an in-depth validation procedure. Bad data is bad data, no matter how you disguise it... It shouldn't get used in any form as a rule of thumb.
Anyone know how the PHP Architect book addresses the stuff we've trashed out so far? I can't see Ilia recommended type casting as the best way to validate/filter numerical data without offering a few reasons where it's NOT such a good idea...
I never said it was a good way. It all depends on scottayy. He should decide how to treat the data, that's why I haven't post a solution to his problem. We need to let him decide first how to treat it. What would happen when the number is: 5.455... Does he want it to become 5 or maybe he wants it to print an error message?
On numbers - the values passed by GET and POST are strings, it's how data is sent in a request (see a form submission in Live HTTP Header extension on Firefox and you see why it's a string). is_numeric() and ctype_digit() don't care about whether a variable is cast as integer, float or string so long as it spells a numerical value... is_integer() is rarely seen in filtering logic for this reason.
$num = $_POST['num'];
if(is_numeric($num)){
$num = stripslashes($_POST['num']); // because magic quotes is on
}
I always expect whole numbers. But then again, that doesn't mean they will always be whole numbers. Thanks for the input guys. I'll just escape it because I know there's other characters besides ' and " that need to be escaped.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Should stripslashes() go before is_numeric? No difference for numbers! Just looks odd since slashes mutate data .
Bear in mind is_numeric won't accept decimals (if you do anything with international support) using the comma convention typical on mainland Europe. It's an internal flaw in PHP not rectified by setting locales...
if(($_GET['del'] = (int)$_GET['del'])) {
mysql_query("DELETE FROM users WHERE id= ". GET['del']);
}
Ben Ramsey advices in an PHP arch article (aug 2005) to use the ctype_digit() function if input variables (should) contain numeric values.
So, it's more complicated then it seems at first. What's clear to me though is that you'll have to really think well about exactly what data you expect, want and validate. And what each function does.
Is there already a totorial on this subject? (on these forums I mean) If not, seems like a good candidate for one to me, considering the confusion there (sometimes/often) is about what to use when and when not.
The examples so far from the book seem to be missing the all important application context - if the data is corrupted it shouldn't be used, full stop. I just think fixing data and then using it is a mistake unless it fits the context and is an obvious user error of a minor nature...
It probably is a candidate for a good tutorial - want to write one up and submit?
The examples so far from the book seem to be missing the all important application context
Yes, I agree with that. The examples themselves are perfectly clear. However, the why and when is not. (at least not at first).
want to write one up and submit?
I could do that and I could try. However, I'm not so sure I'm the right person to do that, considering my level of experience. I could try to put something together and let it be reviewed by the experts of course. I don't know what the policy is here.
You can write up a tutorial and submit it to feyd - there's a Tutorial forum (non-public) where it can be peer reviewed and discussed. I have a tut in there at the moment awaiting final comments .