SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unexplained use of (int) conversion

    I am reading a book and it contains the following line of code :

    Code:
    call_user_func("processStep" . (int)$_POST["step"])
    What is the purpose of using (int) conversion here?

  2. #2
    SitePoint Zealot
    Join Date
    Jul 2012
    Location
    Scarborough, North Yorkshire, United Kingdom
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The int call casts it as an integer. It is likely that the developer is expecting a number and is doing this to ensure he gets one.
    Richard
    Resell SSL Certificates - API / WHMCS / HostBill / ClientExec
    ServerTastic - RapidSSL, Geotrust, Thawte, Symantec, SmarterTools and more

  3. #3
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,615
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Note that it is not wise to type cast a variable that comes from user input.

    It is best to first check if the variable could be an int before actually casting it as such. Otherwise, if the variable ends up not being an int and is then type cast, you could end up with a bug or error.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The value comes from an input hidden tag like this :

    Code:
    <input type="hidden" name="step" value="2">
    My question is why we should convert this $_POST["step"] to int before the concatenation.

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,184
    Mentioned
    17 Post(s)
    Tagged
    4 Thread(s)
    Because I could modify that value to something like:

    Code PHP:
    <input type="hidden" name="step" value="MESSEDUPYOURSTUFF">

    Than an error will occur in attempting to call undefined function.

    That practice though is really more applicable to avoiding SQL injection. Anything that is not an integer would be cast to 0.

    It could also be messed up with something like this:

    Code PHP:
    <input type="hidden" name="step" value=""100000">

    So one could argue that without checking whether the function exists before calling it makes the cast kinda worthless.

    ie.

    Code PHP:
    $name = 'processStep' . $_POST["step"];
     
    if(function_exists($name)) {
       call_user_func($name);
    }
    The only code I hate more than my own is everyone else's.

  6. #6
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for your clear explanation oddz.

  7. #7
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,182
    Mentioned
    67 Post(s)
    Tagged
    2 Thread(s)
    I find it a little silly that he's even using the hidden type to submit this through POST.

  8. #8
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Great explanation @oddz ;

    By using (int) you know exactly what you are going to get, either a positive integer or 0.

    It all comes down to how you have presented options to a user on a form on your site.

    a) Did you give them a pick list of numbers to pick from, or a pre-defiined element with a set integer (usually a hidden field with an `id`)

    OR

    b) Did you give them a text box into which they can enter just about anything, but your GUI hints specify a number.

    Then:

    If you do not get an integer, does that mean they:

    1) could have made a mistake

    OR

    2) altered a copy of the html and re-submitted it

    If you did not get an integer after :

    a) then 1) -- this is not possible without tampering, same as a) then 2) -- this is bad

    a) then 2) -- this is bad

    b) then 1) -- then you should question your motives, or be kind an throw back an error msg.

    b) then 2) -- this is bad

    So, when you are expecting an integer, and after typecasting it equates to 0 then this is generally a bad sign, and you should abort and get rid of the user.

    As a developer it is also very easy to use and recall, that is why you will see it again and again.

  9. #9
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Cups View Post
    By using (int) you know exactly what you are going to get, either a positive integer or 0.
    Just a small clarification: integers can also be nagative


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •