SitePoint Sponsor

User Tag List

Page 3 of 3 FirstFirst 123
Results 51 to 62 of 62
  1. #51
    SitePoint Addict cranjled's Avatar
    Join Date
    Apr 2004
    Location
    ny
    Posts
    382
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    is_numeric() ... is fine to use when you're expecting a number that's either postive, negative, decimal, or even zero. In all these cases, you'll get a TRUE. A zero returning TRUE sometimes throws people off, but a 0 is in fact numeric. There's a couple of gotchas though...(well, after you get the hang of 'em, they're actually 'features')...

    First gotcha is that is_numeric() will return TRUE when it's passed an exponential number such as +0123.45e6 even though the number has a letter in it.

    Second gotcha is that hexadecimal values will also return as TRUE so long as they do not contain a sign, decimal or exponent; for example, a value of 0xFF returns TRUE.

    ctype_digit() ... will return TRUE only if the value passed consists only of numbers. A decimal or negatively signed number will cause a FALSE. ...again, the gotcha/feature paradox... but perfectly logical upon consideration.

    intval() ... I think this might produce unexpected results, depending on the value passed. I haven't really tried it out...

    ...and along the vein of PHP types...

    Check out this sweet Type Comparison Chart...a must bookmark!

    Hope that helps,

    - Cranjled

  2. #52
    SitePoint Member
    Join Date
    Jun 2004
    Location
    Malmö, Sweden
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I always sanitize the user input, whether it's from GET or POST.
    http://www.owasp.org/index.php/OWASP_PHP_Filters

    Tried and tested methods, can easily be combined with more sanity

    In fact, just visit http://www.owasp.org/
    and start reading

  3. #53
    SitePoint Addict cranjled's Avatar
    Join Date
    Apr 2004
    Location
    ny
    Posts
    382
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by MRoderick
    I always sanitize the user input, whether it's from GET or POST.
    Good point...! Of course all user input is malicious and should be validated. I wasn't meaning to imply that sanitizing just $_GET was good enough...it's just what the main theme of the thread was...



    Thanks for the link,

    - Cranjled

  4. #54
    SitePoint Member Dan Friedman's Avatar
    Join Date
    Apr 2006
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    <?php

    function clean($var) { ... }
    foreach (
    $_GET as $key => $value$GET[$key] = clean($value);

    ?>
    edit: Just saw: http://www.sitepoint.com/forums/show...3&postcount=30

    I tried editing $_GET and other similar values directly before and I think it didn't work... does it?

  5. #55
    SitePoint Enthusiast GzThai's Avatar
    Join Date
    Sep 2006
    Location
    USA
    Posts
    52
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should always use error checking for your $_GET variables. It could be something as simple as this:

    $variable = $_GET['variable'];

    if($variable=='category1'){
    echo "<p>some text</p>";
    }
    else{
    echo "<p>You broke the Internet.</p>";
    }
    or, you could use ereg and eregi expressions to check if the variable contains only text

    just visit http://books.gzthai.com
    and start download and reading

  6. #56
    SitePoint Addict cranjled's Avatar
    Join Date
    Apr 2004
    Location
    ny
    Posts
    382
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Friedman
    PHP Code:
    <?php

    function clean($var) { ... }
    foreach (
    $_GET as $key => $value$GET[$key] = clean($value);

    ?>
    edit: Just saw: http://www.sitepoint.com/forums/show...3&postcount=30

    I tried editing $_GET and other similar values directly before and I think it didn't work... does it?
    The simple test below proves that you can edit a $_GET variable directly.
    Code:
        // Getting the 'raw' GET variable.
        $bad_get = $_GET['var'];
        echo "<p>$bad_get</p>";
    
        // Resetting the GET variable within the script.
        $_GET['var'] = 'this';
    
        // The end result.
        echo '<pre>';
        print_r($_GET);
        echo '</pre>';
    However, doing this is a bad idea; it can lead to complacency. It's best to get the data from $_GET where you can then fully process/inspect it...and only ever use /your/ re-assigned variables...and never the direct $_GETs.

    After you get the data from the $_GET variable, trash it to make sure no holes can be introduced in this way.

    At least, that's how I do it!


  7. #57
    SitePoint Addict cranjled's Avatar
    Join Date
    Apr 2004
    Location
    ny
    Posts
    382
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by GzThai
    ...or, you could use ereg and eregi expressions to check if the variable contains only text...
    PHP's "Character Type Functions" are very specific, fast, and much easier to use than *reg* expressions. To date, there are 11 such functions listed in the PHP Manual, most of which return either true or false. Instead of an elaborate pattern comparison as with the *reg* functions, each ctype function has it's own very specific tasks.

    For example to test a variable for "only text" as you'd mentioned in your post, all you need is:
    PHP Code:
    $is_alpha ctype_alpha($var);
    // $is_alpha will be TRUE if only letters in $var; FALSE otherwise. 
    Or, if you wanted to allow numbers and letters,
    PHP Code:
    $is_alnum ctype_alnum($var);
    // $is_alnum will be TRUE if $var contains only numbers and letters; FALSE otherwise. 
    Of course, you could also put these functions into conditionals like:
    PHP Code:
    if(!ctype_alpha($var)) {
        
    // More than letters were submitted; do somethin about it!

    Check them out ... those functions have saved me much work ... and code!

  8. #58
    SitePoint Wizard frank1's Avatar
    Join Date
    Oct 2005
    Posts
    1,392
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i have GET var that accepts either 'a' or < > = but that < and > or = is passed as special character in addressbar may be hex charaacters...%3D% etc
    so how to validate it
    any function example

  9. #59
    SitePoint Addict cranjled's Avatar
    Join Date
    Apr 2004
    Location
    ny
    Posts
    382
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Frank1 ... how's that? Can you explain this again...sorry, I don't get it.

    And, why would you pass '<' or '>' through the URL? My feeling on this is that it should be avoided, though I'm certainly no expert. Is there another way you can achieve this?

    Maybe I understood you wrong...

  10. #60
    SitePoint Wizard frank1's Avatar
    Join Date
    Oct 2005
    Posts
    1,392
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cranjled
    Frank1 ... how's that? Can you explain this again...sorry, I don't get it.

    ****....edited so that post doesnt get unnecessarily long
    Maybe I understood you wrong...
    why is it bad idea?
    well i am doing like this
    its search or search with drop down navigation..part of it
    PHP Code:
    echo '<tr><td align="right">Price</td>
      <td align="left">
      <select name="opr">
      <option value="any">All</option>

      <option value="=">Equal to</option>>
      <option value=">=">Greater than</option></option>
      <option value="<=">Less than</option> </option>
      </select>&nbsp
      </select>&nbsp</td></tr>'
    ;
        echo 
    '<tr><td align="right">Price </td>
        <td align="left"><input type="text" name="cid" size="15" maxlength="25" />&nbsp;</td></tr>'
    ;
           echo 
    '<tr><td align="right">Property Type</td>
           <td align="left">
        <select name="pfor">
      <option value="1">Sale</option> 
    and i next page i do...

    PHP Code:
            }
                                else 
    //opreator is not all
                            
    {
                            
                             
    $prop_for = ( $pfor == ) ? 'sale' 'hire'
                                            
    $query .= ' and property_for like \'' $prop_for '\' and price ' $opr ' ' $var
                            
                            } 
    that way i am not having to write query for > ,<= and = separately.
    but i am not getting exact way of validating that variable "opr"...
    any suggestion....
    by the way well / ' " avoided so that people do not url or sql inject but can sql or url injection can be done through <, >, =
    (i am not trying to accept specail charaters just <,> and =..only)

  11. #61
    SitePoint Addict cranjled's Avatar
    Join Date
    Apr 2004
    Location
    ny
    Posts
    382
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I didn't mean it was a bad idea or wrong...just that I avoid such things...again, this isn't coming from an expert, so here's some salt to go along with it! I see now your purpose and can offer something of substance...then again, that depends on how you define substance...

    aaaanyway...you can easily change your code to not require those 'special' characters. Consider this...

    In your select input:
    PHP Code:
    echo '<tr><td align="right">Price</td> 
      <td align="left"> 
      <select name="url_opr"> 
      <option value="any">All</option> 

      <option value="et">Equal to</option>> 
      <option value="gt">Greater than</option></option> 
      <option value="lt">Less than</option> </option> 
      </select>&nbsp 
      </select>&nbsp</td></tr>'

        echo 
    '<tr><td align="right">Price </td> 
        <td align="left"><input type="text" name="cid" size="15" maxlength="25" />&nbsp;</td></tr>'

           echo 
    '<tr><td align="right">Property Type</td> 
           <td align="left"> 
        <select name="pfor"> 
      <option value="1">Sale</option>'
    ;
    ........ 
    ...and in your receiving code:
    PHP Code:
        // Use a switch or similar to choose the proper operator.
        
    switch($url_opr) {
            case 
    'gt':
                
    $sql_opr '>=';
                break;
            case 
    'lt':
                
    $sql_opr '<=';
                break;
            default:
                
    $sql_opr '=';
                break;
        }

                                else 
    //opreator is not all 
                            

                             
                             
    $prop_for = ( $pfor == ) ? 'sale' 'hire'
                                            
    $query .= ' and property_for like \'' $prop_for '\' and price ' $sql_opr ' ' $var
                             
                            } 
    Would that suit your purposes?

    PS... you have an extra /select tag in there...

  12. #62
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    USA, Saratoga Springs, NY
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's a filtering and escaping cheatsheet "plan of action":
    http://pixelated-dreams.com/archives...eat-Sheet.html
    They say, "Practice makes perfect," yet they also say, "Nobody's perfect". I don't get it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •