Secure User Input

mikemcleanuk

Hey just a quick question rgarding some code i have. The user enters something into a form field and submits it. I am then performing some checks on it and assigning it to a new var to use in the script. Could someone let me know if they see any problems with it. The input should be an int and then set the error message if it is anything but a number over 0 (inclusive).


function mres($input) 
{
    return strip_tags(mysql_real_escape_string($input));
}

function intCheck($input){
    return(ctype_digit(strval($input)));
}

while ($row = mysql_fetch_assoc($units))
	{		

	$uid = $row['id'];
	$cancel_amount = (isset($_POST['u'.$uid.'discharge']) AND intCheck($_POST['u'.$uid.'discharge'])) ? mres($_POST['u'.$uid.'discharge']) : -1;
	if($cancel_amount == -1)
	{
		$error = "Invalid input, please only enter positive numbers.";
		$cancel_amount = 0;
		break;
	}
....

mikemcleanuk

hmmm reading it i see that the line : if($cancel_amount == -1)
should read
if($cancel_amount < 0)

dagon

ctype_digit() and is_int() are not the same thing, just make sure your using the right one, you say your checking for int but then use ctype_digit

Weedpacket

Well, the thing being passed to intCheck() will always be a string (like all $_POST variables), so is_int() would fail (the strval() is also redundant). One thing it doesn't check is that it's not something like "000000005487563847568734658734568734568735678".

Also the mres() function is pointless, since any tags or quotes would already have caused the intCheck() test to fail, and therefore there would never be any tags to strip or quotes to escape.

Also, it doesn't prevent an amount of 0 from being entered. Zero is not a positive number.