WebApp Sec mailing list archives
Re: PHP variable sanitization functions
From: "Tim Tompkins" <lists () spiderlinks org>
Date: Fri, 29 Aug 2003 10:19:54 -0700
function check_numeric($numeric, $extras='') { if (!is_numeric($numeric)) { $this->set_error("Type not numeric"); return FALSE; } // convert it to int for checking $numeric_val = (int)$numeric; return ($this->check_integer($numeric_val, $extras)); }
Note that "numeric" != "integer". Numeric also includes real numbers (floats), so your cast to int could alter the intentions of the caller if $extras contains fractional "minimum" and/or "maximum" values. Imagine a form testing input through check_numeric() with a value of 12.5 to be in the range of 12.25 to 12.75. 12.5 would pass is_numeric(), but would fail once passed through check_integer. Actually, since check_integer() also expects "minimum" and "maximum" to also be integers, testing a float range would return a false positive because "minimum" and/or "maximum" would not test out to integers, so the range tests would never be applied. So check_numeric() with a value of 1 and a range of 10.0 to 20.0 would test true. -- Tim Tompkins
Current thread:
- Re: PHP variable sanitization functions, (continued)
- Re: PHP variable sanitization functions Jamie Pratt (Aug 25)
- Re: PHP variable sanitization functions Gavin Zuchlinski (Aug 25)
- Re: PHP variable sanitization functions Ulf Harnhammar (Aug 26)
- Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 26)
- Re: PHP variable sanitization functions Cameron Green (Aug 26)
- Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 27)
- Re: PHP variable sanitization functions Cameron Green (Aug 27)
- Re: PHP variable sanitization functions Gavin Zuchlinski (Aug 28)
- Re: PHP variable sanitization functions Jean-Jacques Halans (Aug 29)
- Looking for coder.htm / ASCII encoder n30 (Aug 29)
- Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 26)
- Re: PHP variable sanitization functions Tim Tompkins (Aug 29)