Posted by Steve Edberg on 10/21/15 11:33

Only problem with intval() is that it returns 0 (a valid value) on
failure, so we need to check for 0 first. Adding more secure checks
would make this more than just a one-liner, eg;

$_CLEAN['x'] = false;
if (isset($_POST['x'])) {
if (0 == 1*$_POST['x']) {
$_CLEAN['x'] = 0;
} else {
$x = intval($_POST['x']);
if ($x > 0 && $x == 1*$_POST['x']) {
$_CLEAN['x'] = $x;
}
}
}

Reducing to a two-liner, if you *really* want:

$x = intval(@$_POST['x']);
$_CLEAN['x'] = (isset($_POST['x']) ? ((0 == 1*$_POST['x']) ? 0 :
(($x > 0 && $x == 1*$_POST['x']) ? $x : false)) : false);

(all untested)

That *should* return false unless all your conditions are set, in
which case it will return your cardinal number (non-negative integer).

Disclaimer: Currently operating on caffeine deficit; it's possible
I'm answering a question no one asked.

steve


At 3:41 PM +0100 12/1/05, Jochem Maas wrote:
>Ray Hauge wrote:
>>Richard Lynch wrote:
>>
>>>On Wed, November 30, 2005 5:10 pm, Chris Lott wrote:
>>>
>>>>What is the shortest possible check to ensure that a field coming from
>>>>a form as a text type input is either a positive integer or 0, but
>>>>that also accepts/converts 1.0 or 5.00 as input?
>>>>
>
>$_CLEAN['x'] = intval(@$_POST['x']);
>
>the '@' suppresses a notice if 'x' is not set and intval() will
>force whatever is in $_POST['x'] to become an integer - knowing exactly
>what it does depends on knowing how type-casting works in php.
>OK so that doesn't exactly constitute a 'check' but it sure as hell
>stops any idiot from giving the rest of your script anything but an
>accepted value (the unsigned integer)
>
>[I'd be very happy to get critisism from a security-man like mr. Chris
>Shiftlett regard the relative 'badness' of the 'approach' I suggested
>above - i.e. how much does it suck as a strategy?]
>
>here is a quick test regarding casting (run it yourself ;-):
>
>var_dump(
> intval( "123" ),
> intval( 123.50 ),
> intval( "123.50" ),
> intval( "123abc" ),
> intval( "abc" ),
> intval( "0" ),
> intval( false ),
> intval( null )
>);
>
>>>
>>>
>>>This might be good enough:
>>>
>>>if (isset($_POST['x'])){
>>> if (!preg_match('/([0-9]*)(\\.0*)?/', $_POST['x']){
>>> //invalid
>>> }
>>> else{
>>> $_CLEAN['x'] = (int) $_POST['x'];
>>> }
>>>}
>>>
>>>
>>You could also replace:
>>
>>if (!preg_match('/([0-9]*)(\\.0*)?/', $_POST['x'])
>>
>>with:
>>
>>
>>if(!is_numeric($_POST['x']) || $_POST['x'] < 0)
>>
>>This would ensure that your value only contains numbers, and that
>>it is greater than zero. Then when you put it into the $_CLEAN
>>array, you can type-cast it as an int (as in the other script) and
>>that would convert any doubles to an integer value. If you wanted
>>you could also round, ceil, or floor the value.
>>


--
+--------------- my people are the people of the dessert, ---------------+
| Steve Edberg http://pgfsun.ucdavis.edu/ |
| UC Davis Genome Center sbedberg@ucdavis.edu |
| Bioinformatics programming/database/sysadmin (530)754-9127 |
+---------------- said t e lawrence, picking up his fork ----------------+

• Next in forum: Re: [PHP] Re: $_POST won't work for me
• Prev in forum: CDATA in PHP DOM
• Thread view: Re: [PHP] shortest possible check: field is set, integer or 0

[Reply to this message]