Ray Hauge wrote:
Richard Lynch wrote:
On Wed, November 30, 2005 5:10 pm, Chris Lott wrote:
What is the shortest possible check to ensure that a field coming from
a form as a text type input is either a positive integer or 0, but
that also accepts/converts 1.0 or 5.00 as input?
$_CLEAN['x'] = intval(@$_POST['x']);
the '@' suppresses a notice if 'x' is not set and intval() will
force whatever is in $_POST['x'] to become an integer - knowing exactly
what it does depends on knowing how type-casting works in php.
OK so that doesn't exactly constitute a 'check' but it sure as hell
stops any idiot from giving the rest of your script anything but an
accepted value (the unsigned integer)
[I'd be very happy to get critisism from a security-man like mr. Chris
Shiftlett regard the relative 'badness' of the 'approach' I suggested
above - i.e. how much does it suck as a strategy?]
here is a quick test regarding casting (run it yourself ;-):
var_dump(
intval( "123" ),
intval( 123.50 ),
intval( "123.50" ),
intval( "123abc" ),
intval( "abc" ),
intval( "0" ),
intval( false ),
intval( null )
);
This might be good enough:
if (isset($_POST['x'])){
if (!preg_match('/([0-9]*)(\\.0*)?/', $_POST['x']){
//invalid
}
else{
$_CLEAN['x'] = (int) $_POST['x'];
}
}
You could also replace:
if (!preg_match('/([0-9]*)(\\.0*)?/', $_POST['x'])
with:
if(!is_numeric($_POST['x']) || $_POST['x'] < 0)
This would ensure that your value only contains numbers, and that it is
greater than zero. Then when you put it into the $_CLEAN array, you can
type-cast it as an int (as in the other script) and that would convert
any doubles to an integer value. If you wanted you could also round,
ceil, or floor the value.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
