Posted by Jochem Maas on 09/30/14 11:33

Ray Hauge wrote:
> Richard Lynch wrote:
>
>> On Wed, November 30, 2005 5:10 pm, Chris Lott wrote:
>>
>>
>>> What is the shortest possible check to ensure that a field coming from
>>> a form as a text type input is either a positive integer or 0, but
>>> that also accepts/converts 1.0 or 5.00 as input?
>>>

$_CLEAN['x'] = intval(@$_POST['x']);

the '@' suppresses a notice if 'x' is not set and intval() will
force whatever is in $_POST['x'] to become an integer - knowing exactly
what it does depends on knowing how type-casting works in php.
OK so that doesn't exactly constitute a 'check' but it sure as hell
stops any idiot from giving the rest of your script anything but an
accepted value (the unsigned integer)

[I'd be very happy to get critisism from a security-man like mr. Chris
Shiftlett regard the relative 'badness' of the 'approach' I suggested
above - i.e. how much does it suck as a strategy?]

here is a quick test regarding casting (run it yourself ;-):

var_dump(
intval( "123" ),
intval( 123.50 ),
intval( "123.50" ),
intval( "123abc" ),
intval( "abc" ),
intval( "0" ),
intval( false ),
intval( null )
);

>>
>>
>> This might be good enough:
>>
>> if (isset($_POST['x'])){
>> if (!preg_match('/([0-9]*)(\\.0*)?/', $_POST['x']){
>> //invalid
>> }
>> else{
>> $_CLEAN['x'] = (int) $_POST['x'];
>> }
>> }
>>
>>
>>
> You could also replace:
>
> if (!preg_match('/([0-9]*)(\\.0*)?/', $_POST['x'])
>
> with:
>
>
> if(!is_numeric($_POST['x']) || $_POST['x'] < 0)
>
> This would ensure that your value only contains numbers, and that it is
> greater than zero. Then when you put it into the $_CLEAN array, you can
> type-cast it as an int (as in the other script) and that would convert
> any doubles to an integer value. If you wanted you could also round,
> ceil, or floor the value.
>

[Back to original message]