Safe coding with is_numeric()

warozzo

If I have a URL like http://example.com/script.php?id=9
and variable id is a database record, is it safe enough if I check only with is_numeric() function only?

For example

<?php
if (is_numeric($_GET[id])) {
    // do some sql stuff here....
} else {
    echo "Try to crack someone else's job, heh?";
}

Or is there any methods or function that I have to write so I can do 'safe codin'.

PS: I'm using PHP 4.3 so register_global is off.

OhLordy

I don;t wuite understand what you mean. Is this a private page? Could someone not just type a number in the get field?

superwormy

You might be better off using is_int() which will check if its an integer. is_numeric() would return TRUE with 5.323 or 1.21E-100...

Also make sure after you pull results from the database that you actually selected something as well.

ahundiak

You can also use a cast which will force the input to be integer regardless.

$id = (integer)$_GET('id');

Strings will just end up setting $id to 0.

warozzo

Originally posted by ahundiak
You can also use a cast which will force the input to be integer regardless.

$id = (integer)$_GET('id');

Strings will just end up setting $id to 0.

0 (zero) wouldn't be good, cause $id point to an id in database, so there's no id #0.

OK, how about this:

if (!empty($GET[id]) && is_int($GET[id]) && !ereg(".-", $_GET[id]))

will those safe?

I also see an example in PHP manual to pull out from database, the manual writer uses this coding style:

$sql = printf("SELECT * FROM table");

what the printf uses for?

laserlight

You'll have to be careful with is_int() though, since the value of $_GET['id'] will be of type string.

is_numeric() will work with numeric strings, is_int() will not.
(or rather it will, but will return false even if the string looks like an integer to you)

laserlight

I suggest that you read the manual further for printf() 😉
anyway, it basically is a way to format output, I dont think you want that here.

Generally I just check that the variable exists, then check that it is numeric and greater than 0.
If the input is somehow floating point, then I believe it would be implicitly typecasted into an integer when used in the query.
If it isnt, well, then no records would be returned, which is ok since the user decided to play with your query and deserves it :p

Weedpacket

Originally posted by laserlight
If it isnt, well, then no records would be returned, which is ok since the user decided to play with your query and deserves it :p

I suspect that if something like "-1.5e3" (which would pass is_numeric()) was used in the query where an integer was expected then the thing will throw an error (something to try sometime). I'd suggest:

making sure the variable is set
that it's numeric
that $var==(integer)$var, and
that it's nonnegative

Am I missing anything?

laserlight

never really tested with standard notation type of numbers.

still, given that I normally enclose all incoming variables in (single) quotes in queries, I doubt it will throw an error.

laserlight

ah well, decided to test instead of relying on reasoning 🙂

no error thrown with is_numeric(), the simple range check for positive and single quotes used.

of course the range check isnt really needed, and the quotes probably arent needed too, but is_numeric() still is.