Cleaning $_GET['id']

JonD · 7 Aug 2006 at 15:38

I get the variable from the url to execute in queries. 'id' **** always be a number so whats the best way to clean it?

will intval do or is there sum sort of regular expressions i can do to redirect the page if the value of id is not a number?

Thx

gavsim · 7 Aug 2006 at 15:41

Take a look at this: http://uk2.php.net/is_numeric

JonD · 7 Aug 2006 at 15:53

Should this work?

PHP:

function validateInt($number)
{
	if (is_numeric($number))
		return intval($number);		
	return;
}

elkdanger · 7 Aug 2006 at 15:58

JonD said:
Should this work?

PHP:

function validateInt($number) { if (is_numeric($number)) return intval($number); return; }

I don't know - I can't read it because of the nonsensical colour scheme

But yes it will work, although to be honest I would just use intval() on it's own instead of wrapping it inside a function then testing it inside a conditional statement (that you don't really do anything with) that again checks if it is a number. Wasted cycles tbh; Intval() will clean the input just fine.

Inquisitor · 7 Aug 2006 at 16:03

elkdanger said:
But yes it will work, although to be honest I would just use intval() on it's own instead of wrapping it inside a function then testing it inside a conditional statement (that you don't really do anything with) that again checks if it is a number. Wasted cycles tbh; Intval() will clean the input just fine.

However, if the input is invalid, it won't pick that up.

JonD · 7 Aug 2006 at 16:04

but if u use intval and 'id' is sumthing like: '342thisisnotanumber' it will return 342. It would still be nice if I knew this wudnt be accepted.

elkdanger · 7 Aug 2006 at 16:21

Inquisitor said:
However, if the input is invalid, it won't pick that up.

Yeah, ignore me; after thinking about it that cleanup function will probably do ok, but I would make more use of the conditional statement he has, just to prevent further problems - just return a zero so that he can check for this and prevent further running of the script if he needs to. Also trim off white space and html tags to be safe.

Code:

function validateInt($number) 
{ 

    if (is_numeric($number) == true) 
        return intval(strip_tags(trim($number)));     

    return 0;
}

Bloo_Fish · 7 Aug 2006 at 16:23

JonD said:
but if u use intval and 'id' is sumthing like: '342thisisnotanumber' it will return 342. It would still be nice if I knew this wudnt be accepted.

If you used

PHP:

$iID = (int) $_GET['id'];

Then that should return zero if it is not an int. So 342thisisnotanumber should return 0;

robmiller · 7 Aug 2006 at 18:01

elkdanger said:
Yeah, ignore me; after thinking about it that cleanup function will probably do ok, but I would make more use of the conditional statement he has, just to prevent further problems - just return a zero so that he can check for this and prevent further running of the script if he needs to. Also trim off white space and html tags to be safe.

Code:

function validateInt($number) { if (is_numeric($number) == true) return intval(strip_tags(trim($number))); return 0; }

If it's a number, you strip tags (totally useless, how can there be HTML tags in a number) and convert it to a number... despite it already being a number :confused:

Try this:

PHP:

<?php
$foo = (int) $_GET['foo'];
?>

or:

PHP:

<?php
$foo = intval($_GET['foo']);
?>

JonD · 7 Aug 2006 at 18:02

i didnt think of casting it.

Thx

Inquisitor · 7 Aug 2006 at 19:02

robmiller said:
Try this:

<snip>

He wanted to validate the input as an integer, not get an integral representation of it. Essentially, I think he wants a something that does the same thing as the is_numeric() function, except that checks if it's an integer or not.

This should do the trick:

Code:

function is_int($number)
{
    return intval($number) == $number;
}

Not that you really need a function to do that

robmiller · 7 Aug 2006 at 20:54

Inquisitor said:
Code:

function is_int($number) { return intval($number) == $number; }

Not that you really need a function to do that

http://uk.php.net/is_int :confused:

Inquisitor · 7 Aug 2006 at 21:13

robmiller said:
http://uk.php.net/is_int

That tests the datatype as well though.

elkdanger · 7 Aug 2006 at 22:45

robmiller said:
If it's a number, you strip tags (totally useless, how can there be HTML tags in a number) and convert it to a number... despite it already being a number

Hmm I'm asleep today. I would normally use that function for everything that comes out of a $GET[], and then test for it being a number if it was indeed a number that I was after, since we all know that what you get out of any user input might not be what you expect.

But yes, if all you want to do is test whether something is purely numeric then your examples would prove to be fine.

robmiller · 8 Aug 2006 at 03:02

elkdanger said:
But yes, if all you want to do is test whether something is purely numeric then your examples would prove to be fine.

No they wouldn't :/

If you want to ensure input is a number, use what I posted. If you want to check whether input is a number or not, use what Inquisitor posted.

Dj_Jestar · 8 Aug 2006 at 03:50

Code:

if (strval(intval($_GET['id'])) === $_GET['id']) {
  //$_GET['id'] is 100% absolutely, positively, certainly of numeric, and only integral char's.
} else {
 // it's not.
}

However.. if you follow Defense In Depth practices, you will escape the value regardless of datatype. I really cba to explain, as the last time I did (on a different forum) it ended in a 13 page thread, 5 bans, 6 suspensions and a lot of upset angsty teenage developers, a bit like the "How many forum members does it take to change a lightbulb?" cliché. So if you want to read up of "Defense In Depth", google it noob

something like this method from a MySQL database class:

Code:

    public function parseQuery ()
    {
        $count = func_num_args();
        $str = func_get_arg(0);

        if ($count > 1) {
            for ($i = 1; $i < $count; $i++) {
            
                if ((strval(intval(func_get_arg($i))) === strval(func_get_arg($i)))
                    || (strval(floatval(func_get_arg($i))) === strval(func_get_arg($i)))) {
                    $pat = mysql_real_escape_string(func_get_arg($i), $this->link);
                } else {
                    $pat = "'" . mysql_real_escape_string(func_get_arg($i), $this->link) . "'";
                }
                
                $str = str_replace(':' . $i, $pat, $str);
            }
        }
        
        $this->query = $str;
    }

With usage of:

Code:

$db->parseQuery('SELECT * FROM `table` WHERE `col` = :1', 5);

the number is still escaped regardless of it being solely a numerical value.

toString · 8 Aug 2006 at 09:05

Seems a little over the top, and not very readable. But I guess that's where the arguement came from?

Intresting thread none the less.

JonD · 8 Aug 2006 at 10:35

this thread turned out to be longer than expected. :eek:

I think rob wins, casting **** work fine.

Thx all

Dj_Jestar · 8 Aug 2006 at 15:56

KingAdora said:
Seems a little over the top, and not very readable. But I guess that's where the arguement came from?

Intresting thread none the less.

Indeed. The main point of argument was 'optimisation' and superflously escaping data. Which soon turned into a discussion of "What is optimisation?" which was a battle between raw speed and ease of maintenance/portability.