|  | Posted by Jochem Maas on 06/14/14 11:33 
Ray Hauge wrote:> Richard Lynch wrote:
 >
 >> On Wed, November 30, 2005 5:10 pm, Chris Lott wrote:
 >>
 >>
 >>> What is the shortest possible check to ensure that a field coming from
 >>> a form as a text type input is either a positive integer or 0, but
 >>> that also accepts/converts 1.0 or 5.00 as input?
 >>>
 
 $_CLEAN['x'] = intval(@$_POST['x']);
 
 the '@' suppresses a notice if 'x' is not set and intval() will
 force whatever is in $_POST['x'] to become an integer - knowing exactly
 what it does depends on knowing how type-casting works in php.
 OK so that doesn't exactly constitute a 'check' but it sure as hell
 stops any idiot from giving the rest of your script anything but an
 accepted value (the unsigned integer)
 
 [I'd be very happy to get critisism from a security-man like mr. Chris
 Shiftlett regard the relative 'badness' of the 'approach' I suggested
 above - i.e. how much does it suck as a strategy?]
 
 here is a quick test regarding casting (run it yourself ;-):
 
 var_dump(
 intval( "123" ),
 intval( 123.50 ),
 intval( "123.50" ),
 intval( "123abc" ),
 intval( "abc" ),
 intval( "0" ),
 intval( false ),
 intval( null )
 );
 
 >>
 >>
 >> This might be good enough:
 >>
 >> if (isset($_POST['x'])){
 >>  if (!preg_match('/([0-9]*)(\\.0*)?/', $_POST['x']){
 >>    //invalid
 >>  }
 >>  else{
 >>    $_CLEAN['x'] = (int) $_POST['x'];
 >>  }
 >> }
 >>
 >>
 >>
 > You could also replace:
 >
 > if (!preg_match('/([0-9]*)(\\.0*)?/', $_POST['x'])
 >
 > with:
 >
 >
 > if(!is_numeric($_POST['x']) || $_POST['x'] < 0)
 >
 > This would ensure that your value only contains numbers, and that it is
 > greater than zero.  Then when you put it into the $_CLEAN array, you can
 > type-cast it as an int (as in the other script) and that would convert
 > any doubles to an integer value.  If you wanted you could also round,
 > ceil, or floor the value.
 >
  Navigation: [Reply to this message] |