Numbers

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

But since GET data is always a string, I don't see another option other than type casting if you want to keep things simple (= not using regex).
The simple option has baggage - see matthijs' example where a decimal value is passed. Yes, it will ensure an integer always exists - but it does so by "fixing" the data which alters the raw POST/GET data which in some cases we need to complete an in-depth validation procedure. Bad data is bad data, no matter how you disguise it... It shouldn't get used in any form as a rule of thumb.

Anyone know how the PHP Architect book addresses the stuff we've trashed out so far? I can't see Ilia recommended type casting as the best way to validate/filter numerical data without offering a few reasons where it's NOT such a good idea...
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

I never said it was a good way. It all depends on scottayy. He should decide how to treat the data, that's why I haven't post a solution to his problem. We need to let him decide first how to treat it. What would happen when the number is: 5.455... Does he want it to become 5 or maybe he wants it to print an error message?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

People are free to ignore advice, you know...:)

On numbers - the values passed by GET and POST are strings, it's how data is sent in a request (see a form submission in Live HTTP Header extension on Firefox and you see why it's a string). is_numeric() and ctype_digit() don't care about whether a variable is cast as integer, float or string so long as it spells a numerical value... is_integer() is rarely seen in filtering logic for this reason.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Good to know. Thanks guys.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

What I have been doing is this:

Code: Select all

$num = $_POST['num'];
if(is_numeric($num)){
    $num = stripslashes($_POST['num']);  //  because magic quotes is on
}
I always expect whole numbers. But then again, that doesn't mean they will always be whole numbers. Thanks for the input guys. I'll just escape it because I know there's other characters besides ' and " that need to be escaped.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Should stripslashes() go before is_numeric? No difference for numbers! Just looks odd since slashes mutate data :).

Bear in mind is_numeric won't accept decimals (if you do anything with international support) using the comma convention typical on mainland Europe. It's an internal flaw in PHP not rectified by setting locales...
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

One other example Ilia gives in his book is:

Code: Select all

if(($_GET['del'] = (int)$_GET['del'])) {
  mysql_query("DELETE FROM users WHERE id= ". GET['del']);
}
Ben Ramsey advices in an PHP arch article (aug 2005) to use the ctype_digit() function if input variables (should) contain numeric values.

So, it's more complicated then it seems at first. What's clear to me though is that you'll have to really think well about exactly what data you expect, want and validate. And what each function does.

Is there already a totorial on this subject? (on these forums I mean) If not, seems like a good candidate for one to me, considering the confusion there (sometimes/often) is about what to use when and when not.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

The examples so far from the book seem to be missing the all important application context - if the data is corrupted it shouldn't be used, full stop. I just think fixing data and then using it is a mistake unless it fits the context and is an obvious user error of a minor nature...

It probably is a candidate for a good tutorial - want to write one up and submit?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

The examples so far from the book seem to be missing the all important application context
Yes, I agree with that. The examples themselves are perfectly clear. However, the why and when is not. (at least not at first).
want to write one up and submit?
I could do that and I could try. However, I'm not so sure I'm the right person to do that, considering my level of experience. I could try to put something together and let it be reviewed by the experts of course. I don't know what the policy is here.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

You can write up a tutorial and submit it to feyd - there's a Tutorial forum (non-public) where it can be peer reviewed and discussed. I have a tut in there at the moment awaiting final comments ;).
Post Reply