 |
 |
PHP question
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
I'm writing a medium sized object-oriented php app. I want to define a method that returns an object. That object is constructed via the return of a database query like
"SELECT * FROM PROPERTY WHERE PROPERTY_ID = 5"
In the example, 5 is the property ID, and it will be passed in via query string.
My concern is, how do I verify in PHP that the value passed in via query string is in fact a number?
I am concerned that someone could pass in "; DROP TABLE PROPERTY" or something equally malicious, and I want to check the input before putting it in my query.
|
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jan 2003
Status:
Offline
|
|
You can always use $variable = (int)$variable to make sure the value is an integer. If it is a text string, it will be converted to 0.
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2002
Status:
Offline
|
|
if(is_int($property_id)){
//execute
}
else{
echo "Error: non-numerical property ID passed";
}
|
|
Travis Sanderson
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by redJag:
if(is_int($property_id)){
//execute
}
else{
echo "Error: non-numerical property ID passed";
}
is_int -- just what I needed, thanks!
For anyone in the future, the function is documented here:
http://www.php.net/is_int
|
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Ok, so is_int is NOT what I needed. This code:
[php]
$somenum = "5544";
if ( is_int($somenum) )
{
echo "an int";
}
else
{
echo "not an int";
}
[/php]
will print "not an int". I found this online:
[php]
function isAnInt($x)
{
return (is_numeric($x) ? intval($x) == $x : false);
}
[/php]
|
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Jun 2001
Location: Melbourne, Australia
Status:
Offline
|
|
...or you can use
"SELECT * FROM PROPERTY WHERE PROPERTY_ID = ".(INT) $property_id
...so it simply forces it to the correct type without needing conditionals.
|
|
Computer thez nohhh...
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2002
Status:
Offline
|
|
Originally posted by Arkham_c:
Ok, so is_int is NOT what I needed. This code:
[php]
$somenum = "5544";
if ( is_int($somenum) )
{
echo "an int";
}
else
{
echo "not an int";
}
[/php]
will print "not an int".
That's because "5544" is a string, not an integer  If you type $somenum = 5544; then it will work
|
|
Travis Sanderson
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by redJag:
That's because "5544" is a string, not an integer If you type $somenum = 5544; then it will work
Yes, but all form data comes in as a string. That's the concern.
|
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2002
Status:
Offline
|
|
Originally posted by Arkham_c:
Yes, but all form data comes in as a string. That's the concern.
OK Form was never mentioned  Glad you got things as they should be!
|
|
Travis Sanderson
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Aug 2002
Status:
Offline
|
|
alternately you can use regular expressions
[php]
if(ereg('^[[:digit:]]+$', $property_id))) {
//execute
} else {
die("not a number");
}
[/php]
regular expresion used:
^ start of line
[:digit:] a digit, 0-9
+ one or more of whatever is within the preceding brackets
$ end of line
--will
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top