I've moved from HTML to PHP coding, so when I wanted to make a link for my news page I used HREF to take the id for the row as a link and make the title of the piece the viewable/clickable link:
echo "<a href=news.php?id=".$row{'id'};
echo ">";
echo ucwords(strtolower($row{'newstitle'}));
echo "</a>";
So when someone clicks on the title it redirects to the article and the address bar becomes (obviously this is an example):
http://site.com/news.php?id=1
How can I validate that the information after the ? is id=int (it will always be a number) and not some user code or other input that could damage the site? I've looked at ways of Sanitizing/Validating the code, but all the examples I've found have been to do with entering information into forms that are then used in the address rather than simply ensuring the address is valid, hence turning to here for assistance.
Thanks
You should use the filter module:
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if ($id === false) {
// not an integer
}
Or you can use ctype_digit() to check if a variable is composed only of decimal digits:
if (ctype_digit($_GET['id'])) {
// it's an integer
} else {
// not an integer
}
Or shorter:
ctype_digit($_GET['id']) or die("oops that's not an integer!");
But die or exit would make your code less testable.
is_numeric would work too, but it would return true for any string representation of a number, not only integers.
Try this
<?php
if (is_int($_GET["id"])) {
echo "is integer\n";
} else {
echo "is not an integer\n";
}
?>
If you have excluded 0 as a valid number for your integer id, you can simply do the following:
$id = (int) $_GET['id'];
if (!$id) {
# no number -or- 0 given
} else {
# regardless what have been given, it has been converted at least to some integer.
}
That's by casting. Now $id is always an integer so more safe to use.
However, most often you need to check as well that the number is non-negative:
$id = max(0, $_GET['id']);
The max function does take care of casting $_GET['id'] into an integer. It ensures that the id is 0 or higher in case the provided value was greater than 0. If it was 0 or lower, 0 is the maximum number.
If you then need to actually validate the input more strictly, you can turn it back into a string for comparison reasons:
if ("$id" === $_GET['id'])
{
# Input was done as a string representation of the integer value.
}
Related
is_int in php 5 doesn't recognize a GET integer when it's passed to it
$blog_ident=$_GET['blog_id'];
if (is_int($blog_ident)){
$sql="SELECT * FROM blog WHERE blog_id='$blog_id'";
$result = mysqli_query($db,$sql);
if (!$result) {
die('Sorry there was a problem reading the blog.');
}
// If we get a result back
while ( $row = $result->fetch_array(MYSQLI_ASSOC) ) {
#extract($row);
}
} else {
die ('Problem with the blog');
}
http://mydomain/blog_edit.php?blog_id=1
This always ends in 'Problem with the blog'. I can't get it to recognize the 1 as an int and proceed to the database query
Values in the $_GET and $_POST super globals are always strings. You may either cast it as an INT or use is_numeric to see if the value is a number.
The problem is in the second line of code, more specifically is_int(...). The docs page for is_int states its functionality as the following:
Find whether the type of a variable is integer
The problem here is that the type of $blog_ident is a string even though the value is a number, because the contents of $_GET is always of the type string. is_int only checks the type of the variable, not its content. If you continue to read on the docs page for is_int you'll find this part.
To test if a variable is a number or a numeric string (such as form input, which is always a string), you must use is_numeric().
If you replace is_int($blog_ident) line to the following you should ger the desired result:
if (is_numeric($blog_ident)){
In my form, a team's score is input, validated by the PHP script and then passed to the MySQL database. However, I want to make sure that a positive integer is being submitted, so there are no problems on the back-end when league standings are tabulated.
Research led me to the conclusion that using is_numeric would be the best way to go about this. However, it fails to recognize zero as an integer and that presents a problem for me. When I echo it in an array by itself, it shows as true, but something about the way I've written it in the script is not working.
I tried converting the $_POST with intval first and then processing the number with is_numeric, but that doesn't seem to help. Here's the code:
// Validate the away score:
if (empty($_POST['away_score'])) {
echo "You forgot to enter the away score.<br>";
$validate = 'false';
} elseif (!is_numeric($_POST['away_score'])) {
echo "You entered an invalid score for the away team.<br>";
$validate = 'false';
} else {
$away_score_value = mysqli_real_escape_string($db, trim($_POST['away_score']));
$validate = 'true';
}
Any thoughts?
The string '0' is not truthy. That means that anything that checks it in a boolean'ish manner will treat it as false. In particular, empty($_POST['away_score']) will evaluate to true, so is_numeric would never even get a chance to fail.
Short version: empty is too wishy-washy in this case. Check for null and '' explicitly.
if (!isset($_POST['away_score']) or $_POST['away_score'] == '') {
You could use built-in validation. Explore few examples from Validation examples. And read about filter_input.
For example.
var_dump(filter_input(INPUT_POST, 'score', FILTER_VALIDATE_INT, array(
'options' => array(
'min_range' => 1,
'max_range' => 5,
)
)));
P.S. use prepared statements.
ctype_digit( (string) $score);
preg_match('#^\d+$#', $score);
In b4 #EmilioGort
boolean false
int 0
<?php
try {
// Check if user submitted "away_score" with valid form.
// "away_score" can be UNDEFINED or STRING or ARRAY.
if (!isset($_POST['away_score']) || !is_string($away_score = $_POST['away_score'])) {
throw new RuntimeException('You cannot access without valid form submitting.');
}
// If "away_score" is not filled in, this will be EMPTY STRING.
if ($away_score === '') {
throw new RuntimeException('You forgot to enter the away score.');
}
// Check if trimmed "away_score" has only digits.
if (!ctype_digit($away_score = trim($away_score))) {
throw new RuntimeException('You entered an invalid score for the away team.');
}
// do something
} catch (Exception $e) {
printf("<p>%s</p>\n", $e->getMessage());
}
Using regex
if (preg_match('/\A\d++\z/', $variable)){//including 0
//do somthing
}else{
echo "This is not a Positive Integer"
}
is_numeric(4.2) return true with float
is_int(2) return false if the data are obtained using supergloblals like $_POST or $_GET
} elseif (!preg_match('/^([0-9]+)$/', $_POST['away_score'], $m)) {
$AwayScore = $m[1]; # $AwayScore to go to mysql
echo 'not numeric!';
$valid = false;
}
This just works!
preg_match() works for any type, including integer/long/float, anything!
But using is_numeric is the proper way of checking whether a given input is or not a number in PHP, and
var_dump(is_numeric(0));
should return bool(true). Have you tried is_int instead?
elseif (!is_numeric(POST[$_'$away_score']) && !is_null(POST[$_'$away_score']))
Because 0 (or null) is not a numeric value, you have to check if the score isn't null.
$alerter2="false";
for ( $counter = 0; $counter <= count($filter); $counter++) {
$questionsubmitted=strtolower($_POST[question]);
$currentcheck =$filter[$counter];
$foundvalue=stripos((string)$questionsubmitted,(string)$currentcheck);
echo $foundvalue;
if ($foundvalue==0) {
$alerter2="true";
} else { }
}
if (!($alerter2=="true")) {
$sql="INSERT INTO Persons (Name, Email, Question)
VALUES
('$_POST[name]','$_POST[email]','$_POST[question]')";
} else {
echo "Please only post appropriate questions";
}
For some reason, whenever I run this, stripos returns 0 every time for every iteration. It's supposed to be a filter, and using echo I found that stripos is 0 every time that it appears. However, when I use 0 in the if, it returns true for even those that don't have the word in them.
Where should I use mysql_real_escape_string? After the query? Note, I am making this a piece of code where I want user input to be saved to a database.
stripos return false if the value is not found, or 0 if it is the first character. Problem is, php automatically cast boolean to the 0 integer or the 0 integer to false. So I think a cast is happening here and thus the condition don't do what you want.
You can use === to also check the type of the variable :
if ($foundvalue === 0) {
$alerter2="true";
}
There's more details about this problem in the linked documentation for stripos.
You should also remove the empty else clause for a cleaner code and use mysql_real_escape_string to sanitize the values before putting them in your database.
You need to change
if ($foundvalue==0)
to
if ($foundvalue===0) // three equals signs
or something equivalent, depending on your logic (I didn't quite understand what's going on).
But as everyone says, THIS CODE IS OPEN TO SQL INJECTION ATTACKS (among other problems).
Also,
$questionsubmitted=strtolower($_POST[question]);
should probably be:
$questionsubmitted=strtolower($_POST['question']);
I would like to determine whether or not a variable has any text at all.
For instance, my current code is this:
if (is_numeric ($id))
{
//do stuff
}
else
{
// do other stuff
}
However, there is a problem if my variable contains both a string and a number
such as "you are 93 years old",
because it sees that number 93 is present and considers the variable numeric.
I want the if statement to only "do stuff" if there is absolutely no text in the variable at all.
Thanks
Try casting the value to int (or float) then compare it back to the unaltered version. They should match values (but not type)
if((int)$id == $id) {
} else {
}
another option would be to use preg_match("/^([\d.\-]+)$/", $id). This would allow you to be very specific about what characters you let $id contain. However using regexp should be considered as the final choice (for performance reasons)
if(empty($var) && $var !== "0" && $var !== 0) {
// it's really empty, not a string "0" and not a numeric 0
}
You could also check if it's not a boolean false for the sake of completeness.
Here is my code:
<?php
$id = $_GET["id"];
if (is_int($id) === FALSE) {
header('HTTP/1.1 404 Not Found');
exit('404, page not found');
}
?>
It always enters inside the if.
is_int checks that the data type is an integer, but everything in $_GET will be a string. Therefore, it will always return false.
In a pinch, you could cast to an integer and then check for != 0.
$id = isset($_GET['id']) ? (int) $_GET['id'] : null;
if (!$id) { // === 0 || === null
header('HTTP/1.1 404 Not Found');
exit('404, page not found');
}
But a more robust solution would involve some type of input string validation / filtering, like PHP's built-in filter_input_array().
(Edited post on Oct/13 since it is still receiving upvotes and it was somewhat confusingly worded.)
User input in $_GET array (as well as the other superglobals) all take the form of strings.
is_int checks the type (i.e. string) of the value, not whether it contains integer-like values. For verification that the input is an integer string, I would suggest either something like ctype_digit or an integer filter (FILTER_VALIDATE_INT—this has the benefit of actually changing the value to type integer). Of course you could also typecast it with (int).
From the PHP documentation for is_int:
Note: To test if a variable is a
number or a numeric string (such as
form input, which is always a string),
you must use is_numeric().
Any user input comes in as a string, because PHP has no way to tell what data type you expect the data to be.
Cast it to an integer or use a regex if you want to make sure it's an integer.
<?php
$id = $_GET["id"];
if ((int) $id == 0) {
header('HTTP/1.1 404 Not Found');
exit('404, page not found');
}
?>
Try using is_numeric instead of is_int. is_numeric checks to see if it is given something that can be a number ($_GET returns strings I think). is_int checks to see if the variable is of type int
Use is_numeric() to evaluate the content and is_int() to evaluate the type.
Or, you could just use a regex match to check if the string is an integer.
if(preg_match('/^\d+$/',$_GET['id'])) {
// is an integer
}