WebApp Sec mailing list archives

Re: PHP variable sanitization functions

From: Cameron Green <c.green () uq edu au>
Date: Wed, 27 Aug 2003 11:07:40 +1000

Quoting Jan Pieter Kunst <jpk () akamail com>:

Something like this (warning! untested code!) might be useful:

function sane_integer($val, $min, $max)
{
  if (!preg_match('/^-?[0-9]+$/', $val))
    return false;

  if (($val < $min) or ($val > $max))
    return false;

  return true;
}



Maybe this one would be faster? As it doesn't use the regular 
expression engine.

function sane_integer($val, $min, $max)
{
   if (!is_numeric($val))
     return false;

   if (($val < $min) or ($val > $max))
     return false;

   return true;
}

JP


I have written a class called Type which does this sort of thing...its meant as
a common handler for Type Checking, which I also use in conjunction with a class
to handle Parameters.

        /**
         * Check Integer Value
         *
         * Checks the value of passed in integer
         * 
         * @param       int     $integer        integer we are checking
         * @param       array   $extras optional - minimum and maximum for variable 
         * @access      public
         * @return      bool    $type ok        
         */
        function check_integer($integer, $extras='') {
                if (!is_integer($integer)) {
                        $this->set_error("Type not integer");
                        return FALSE;
                }

                if (is_array($extras)) {
                        if (isset($extras['minimum']) && is_integer($extras['minimum']) && ($integer
< $extras['minimum'])) {
                                $this->set_error('Less than minimum');
                                return FALSE;
                        }

                        if (isset($extras['maximum']) && is_integer($extras['maximum']) && ($integer

$extras['maximum'])) {

                                $this->set_error('Greater than maximum');
                                return FALSE;
                        }
                }
                
                return TRUE;
        }

The whole class is in this package I have started working on which intends to be
an application base for my php apps (I've cut session and permission handling
out of this one)

http://www.camerongreen.org/code/application_base.tar.gz


-- 
Cameron Green

cam () uq edu au

mb : 0414 972 726
wk : 33654012

"Fascism should more appropriately be called Corporatism because it is a merger
of State and corporate power." - Benito Mussolini (1883-1945)

Current thread:

PHP variable sanitization functions Gavin Zuchlinski (Aug 24)
- Re: PHP variable sanitization functions Liam Quinn (Aug 24)
  - Re: PHP variable sanitization functions Jamie Pratt (Aug 25)
  - Re: PHP variable sanitization functions Gavin Zuchlinski (Aug 25)
- <Possible follow-ups>
- Re: PHP variable sanitization functions Ulf Harnhammar (Aug 26)
  - Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 26)
    - Re: PHP variable sanitization functions Cameron Green (Aug 26)
    - Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 27)
    - Re: PHP variable sanitization functions Cameron Green (Aug 27)
    - Re: PHP variable sanitization functions Gavin Zuchlinski (Aug 28)
    - Re: PHP variable sanitization functions Jean-Jacques Halans (Aug 29)
    - Looking for coder.htm / ASCII encoder n30 (Aug 29)
    - Re: PHP variable sanitization functions Tim Tompkins (Aug 29)
- Re: PHP variable sanitization functions hokkaido (Aug 26)
- Re: PHP variable sanitization functions Slow2Show (Aug 26)