What is the shortest possible check to ensure that a field coming from
a form as a text type input is either a positive integer or 0, but
that also accepts/converts 1.0 or 5.00 as input?
c

Wed, November 30, 2005 5:10 pm, Chris Lott wrote:
What is the shortest possible check to ensure that a field coming from
a form as a text type input is either a positive integer or 0, but
that also accepts/converts 1.0 or 5.00 as input?

This might be good enough:

if (isset($_PST['x'])){
if (!preg_match('/([0-9]*)(\\.0*)?/', $_PST['x']){
//invalid
}
else{
$_CLEAN['x'] = (int) $_PST['x'];
}
}

Richard Lynch wrote:

Wed, November 30, 2005 5:10 pm, Chris Lott wrote:

>
>>What is the shortest possible check to ensure that a field coming from
>>a form as a text type input is either a positive integer or 0, but
>>that also accepts/converts 1.0 or 5.00 as input?
>
>>
>
>This might be good enough:
>
>if (isset($_PST['x'])){
if (!preg_match('/([0-9]*)(\\.0*)?/', $_PST['x']){
//invalid
}
else{
$_CLEAN['x'] = (int) $_PST['x'];
}
>}
>

You could also replace:

if (!preg_match('/([0-9]*)(\\.0*)?/', $_PST['x'])

with:

if(!is_numeric($_PST['x']) || $_PST['x'] < 0)

This would ensure that your value only contains numbers, and that it is
greater than zero. Then when you put it into the $_CLEAN array, you can
type-cast it as an int (as in the other script) and that would convert
any doubles to an integer value. If you wanted you could also round,
ceil, or floor the value.

Ray Hauge wrote:
Richard Lynch wrote:

>Wed, November 30, 2005 5:10 pm, Chris Lott wrote:
>
>>
What is the shortest possible check to ensure that a field coming from
a form as a text type input is either a positive integer or 0, but
that also accepts/converts 1.0 or 5.00 as input?

$_CLEAN['x'] = intval(@$_PST['x']);

the '@' suppresses a notice if 'x' is not set and intval() will
force whatever is in $_PST['x'] to become an integer - knowing exactly
what it does depends on knowing how type-casting works in php.
K so that doesn't exactly constitute a 'check' but it sure as hell
stops any idiot from giving the rest of your script anything but an
accepted value (the unsigned integer)

[I'd be very happy to get critisism from a security-man like mr. Chris
Shiftlett regard the relative 'badness' of the 'approach' I suggested
above - i.e. how much does it suck as a strategy?]

here is a quick test regarding casting (run it yourself ;-):

var_dump(
intval( "123" ),
intval( 123.50 ),
intval( "123.50" ),
intval( "123abc" ),
intval( "abc" ),
intval( "0" ),
intval( false ),
intval( null )
);

>>
>>
>This might be good enough:
>>
>if (isset($_PST['x'])){
>if (!preg_match('/([0-9]*)(\\.0*)?/', $_PST['x']){
>//invalid
>}
>else{
>$_CLEAN['x'] = (int) $_PST['x'];
>}
>}
>>
>
>>
You could also replace:

if (!preg_match('/([0-9]*)(\\.0*)?/', $_PST['x'])

with:

if(!is_numeric($_PST['x']) || $_PST['x'] < 0)

This would ensure that your value only contains numbers, and that it is
greater than zero. Then when you put it into the $_CLEAN array, you can
type-cast it as an int (as in the other script) and that would convert
any doubles to an integer value. If you wanted you could also round,
ceil, or floor the value.

problem with intval() is that it returns 0 (a valid value) on
failure, so we need to check for 0 first. Adding more secure checks
would make this more than just a one-liner, eg;

$_CLEAN['x'] = false;
if (isset($_PST['x'])) {
if (0 == 1*$_PST['x']) {
$_CLEAN['x'] = 0;
} else {
$x = intval($_PST['x']);
if ($x 0 && $x == 1*$_PST['x']) {
$_CLEAN['x'] = $x;
}
}
}

Reducing to a two-liner, if you *really* want:

$x = intval(@$_PST['x']);
$_CLEAN['x'] = (isset($_PST['x']) ? ((0 == 1*$_PST['x']) ? 0 :
(($x 0 && $x == 1*$_PST['x']) ? $x : false)) : false);

(all untested)

That *should* return false unless all your conditions are set, in
which case it will return your cardinal number (non-negative integer).

Disclaimer: Currently operating on caffeine deficit; it's possible
I'm answering a question no one asked.

steve

At 3:41 PM +0100 12/1/05, Jochem Maas wrote:
>Ray Hauge wrote:
>>Richard Lynch wrote:
>>
Wed, November 30, 2005 5:10 pm, Chris Lott wrote:

What is the shortest possible check to ensure that a field coming from
a form as a text type input is either a positive integer or 0, but
that also accepts/converts 1.0 or 5.00 as input?

>
>$_CLEAN['x'] = intval(@$_PST['x']);
>
>the '@' suppresses a notice if 'x' is not set and intval() will
>force whatever is in $_PST['x'] to become an integer - knowing exactly
>what it does depends on knowing how type-casting works in php.
>K so that doesn't exactly constitute a 'check' but it sure as hell
>stops any idiot from giving the rest of your script anything but an
>accepted value (the unsigned integer)
>
>[I'd be very happy to get critisism from a security-man like mr. Chris
>Shiftlett regard the relative 'badness' of the 'approach' I suggested
>above - i.e. how much does it suck as a strategy?]
>
>here is a quick test regarding casting (run it yourself ;-):
>
>var_dump(
>intval( "123" ),
>intval( 123.50 ),
>intval( "123.50" ),
>intval( "123abc" ),
>intval( "abc" ),
>intval( "0" ),
>intval( false ),
>intval( null )
>);
>

This might be good enough:

if (isset($_PST['x'])){
if (!preg_match('/([0-9]*)(\\.0*)?/', $_PST['x']){
//invalid
}
else{
$_CLEAN['x'] = (int) $_PST['x'];
}
}


>>You could also replace:
>>
>>if (!preg_match('/([0-9]*)(\\.0*)?/', $_PST['x'])
>>
>>with:
>>
>>
>>if(!is_numeric($_PST['x']) || $_PST['x'] < 0)
>>
>>This would ensure that your value only contains numbers, and that
>>it is greater than zero. Then when you put it into the $_CLEAN
>>array, you can type-cast it as an int (as in the other script) and
>>that would convert any doubles to an integer value. If you wanted
>>you could also round, ceil, or floor the value.
>>

Steve Edberg wrote:
problem with intval() is that it returns 0 (a valid value) on

I knew that. :-)

failure, so we need to check for 0 first. Adding more secure checks

do we? given that FALSE casts to 0.

would make this more than just a one-liner, eg;

$_CLEAN['x'] = false;
if (isset($_PST['x'])) {
if (0 == 1*$_PST['x']) {

I find the 1*_PST['x'] line a bit odd. why do you bother with the '1*' ?

$_CLEAN['x'] = 0;
} else {
$x = intval($_PST['x']);
if ($x 0 && $x == 1*$_PST['x']) {

this is wrong if $_PST['x'] is '5.5' this won't fly
but is valid according to the P.

$_CLEAN['x'] = $x;
}
}
}

Reducing to a two-liner, if you *really* want:

$x = intval(@$_PST['x']);
$_CLEAN['x'] = (isset($_PST['x']) ? ((0 == 1*$_PST['x']) ? 0 : (($x
0 && $x == 1*$_PST['x']) ? $x : false)) : false);

(all untested)

That *should* return false unless all your conditions are set, in which
case it will return your cardinal number (non-negative integer).

Disclaimer: Currently operating on caffeine deficit; it's possible I'm
answering a question no one asked.

now that is funny :-)

At 5:30 PM +0100 12/1/05, Jochem Maas wrote:
>Steve Edberg wrote:
problem with intval() is that it returns 0 (a valid value) on
>
>I knew that. :-)

I figured so, but I thought I'd make it explicit for the mailing list


>failure, so we need to check for 0 first. Adding more secure checks
>
>do we? given that FALSE casts to 0.
>
>>would make this more than just a one-liner, eg;
>>
>>$_CLEAN['x'] = false;
>>if (isset($_PST['x'])) {
>if (0 == 1*$_PST['x']) {
>
>I find the 1*_PST['x'] line a bit odd. why do you bother with the '1*' ?

I tend to use that to explicitly cast things to numeric; usually not
necessary, but I have occasionally hit situations where something got
misinterpreted, so I habitually do the 1*.


>$_CLEAN['x'] = 0;
>} else {
>$x = intval($_PST['x']);
>if ($x 0 && $x == 1*$_PST['x']) {
>
>this is wrong if $_PST['x'] is '5.5' this won't fly
>but is valid according to the P.

I guess I was interpreting the P differently; your version is the
shortest method I can see to force the input to an integer (but to
ensure the non-negative requirement, one should say

$_CLEAN['x'] = abs(intval(@$_PST['x']));

). I was adding extra code to indicate an invalid entry as false. And
I think that 5.5 would not be considered valid - to quote: "What is
the shortest possible check to ensure that a field coming from a form
as a text type input is either a positive integer or 0, but that also
accepts/converts 1.0 or 5.00 as input?"

Although, with more caffeine in my system, doing something like

$x = abs(intval(@$_PST['x']));
$_CLEAN['x'] = isset($_PST['x']) ? ($x == $_PST['x'] ? $x :
false) : false;

or, to be more obfuscated,

$_CLEAN['x'] = isset($_PST['x']) ? (($x =
abs(intval(@$_PST['x']))) == $_PST['x'] ? $x : false) : false;

should do what I was trying to do, more succinctly.
- slightly more awake steve


>$_CLEAN['x'] = $x;
>}
>}
>>}
>>
>>Reducing to a two-liner, if you *really* want:
>>
>>$x = intval(@$_PST['x']);
>>$_CLEAN['x'] = (isset($_PST['x']) ? ((0 == 1*$_PST['x']) ? 0 :
>>(($x 0 && $x == 1*$_PST['x']) ? $x : false)) : false);
>>
>>(all untested)
>>
>>That *should* return false unless all your conditions are set, in
>>which case it will return your cardinal number (non-negative
>>integer).
>>
>>Disclaimer: Currently operating on caffeine deficit; it's possible
>>I'm answering a question no one asked.
>
>now that is funny :-)

Steve Edberg wrote:
At 5:30 PM +0100 12/1/05, Jochem Maas wrote:

>Steve Edberg wrote:
>problem with intval() is that it returns 0 (a valid value) on
>>
>I knew that. :-)

I figured so, but I thought I'd make it explicit for the mailing list


>failure, so we need to check for 0 first. Adding more secure checks
>>
>do we? given that FALSE casts to 0.
>>
would make this more than just a one-liner, eg;

$_CLEAN['x'] = false;
if (isset($_PST['x'])) {
if (0 == 1*$_PST['x']) {
>>
>>
>I find the 1*_PST['x'] line a bit odd. why do you bother with the '1*' ?

I tend to use that to explicitly cast things to numeric; usually not
necessary, but I have occasionally hit situations where something got
misinterpreted, so I habitually do the 1*.

$_CLEAN['x'] = 0;
} else {
$x = intval($_PST['x']);
if ($x 0 && $x == 1*$_PST['x']) {
>>
>>
>this is wrong if $_PST['x'] is '5.5' this won't fly
>but is valid according to the P.

I guess I was interpreting the P differently; your version is the
shortest method I can see to force the input to an integer (but to
ensure the non-negative requirement, one should say

$_CLEAN['x'] = abs(intval(@$_PST['x']));

for some reason I have been assuming that intval() drops the sign - but
it doesn't the use of abs() would indeed be required.

thanks for that info :-)

). I was adding extra code to indicate an invalid entry as false. And I
think that 5.5 would not be considered valid - to quote: "What is the
shortest possible check to ensure that a field coming from a form as a
text type input is either a positive integer or 0, but that also
accepts/converts 1.0 or 5.00 as input?"

Although, with more caffeine in my system, doing something like

$x = abs(intval(@$_PST['x']));
$_CLEAN['x'] = isset($_PST['x']) ? ($x == $_PST['x'] ? $x : false)
: false;

or, to be more obfuscated,

$_CLEAN['x'] = isset($_PST['x']) ? (($x =
abs(intval(@$_PST['x']))) == $_PST['x'] ? $x : false) : false;

should do what I was trying to do, more succinctly.
- slightly more awake steve

plenty for the P to chew on anyway ;-)

whats with

if (isset($_PST['field']) && (INT)$_PST['field']>=0) {

? This should cover the requirements.
$_PST['field'] should be eq 0 or higher as int.

(INT) converts 1.44 to 1 (cuts .44)
-- Marco

2005/12/2, Jochem Maas <jochem (AT) iamjochem (DOT) com>:
Steve Edberg wrote:
At 5:30 PM +0100 12/1/05, Jochem Maas wrote:
>
>Steve Edberg wrote:
>problem with intval() is that it returns 0 (a valid value) on
>>
>I knew that. :-)
>
>
>
I figured so, but I thought I'd make it explicit for the mailing list
>
>
>failure, so we need to check for 0 first. Adding more secure checks
>>
>do we? given that FALSE casts to 0.
>>
would make this more than just a one-liner, eg;

$_CLEAN['x'] = false;
if (isset($_PST['x'])) {
if (0 == 1*$_PST['x']) {
>>
>>
>I find the 1*_PST['x'] line a bit odd. why do you bother with the '1*' ?
>
>
>
I tend to use that to explicitly cast things to numeric; usually not
necessary, but I have occasionally hit situations where something got
misinterpreted, so I habitually do the 1*.
--
$_CLEAN['x'] = 0;
} else {
$x = intval($_PST['x']);
if ($x 0 && $x == 1*$_PST['x']) {
>>
>>
>this is wrong if $_PST['x'] is '5.5' this won't fly
>but is valid according to the P.
>
>
>
I guess I was interpreting the P differently; your version is the
shortest method I can see to force the input to an integer (but to
ensure the non-negative requirement, one should say

$_CLEAN['x'] = abs(intval(@$_PST['x']));

for some reason I have been assuming that intval() drops the sign - but
it doesn't the use of abs() would indeed be required.

thanks for that info :-)
--
). I was adding extra code to indicate an invalid entry as false. And I
think that 5.5 would not be considered valid - to quote: "What is the
shortest possible check to ensure that a field coming from a form as a
text type input is either a positive integer or 0, but that also
accepts/converts 1.0 or 5.00 as input?"

Although, with more caffeine in my system, doing something like

$x = abs(intval(@$_PST['x']));
$_CLEAN['x'] = isset($_PST['x']) ? ($x == $_PST['x'] ? $x : false)
: false;

or, to be more obfuscated,

$_CLEAN['x'] = isset($_PST['x']) ? (($x =
abs(intval(@$_PST['x']))) == $_PST['x'] ? $x : false) : false;

should do what I was trying to do, more succinctly.

- slightly more awake steve
>
>
>
plenty for the P to chew on anyway ;-)