On Sat, August 12, 2006 2:19 pm, Pierre wrote: > On 8/12/06, Richard Lynch <[EMAIL PROTECTED]> wrote: > >> But I think you are talking about making changes to the way this >> works: >> >> http://example.com/?foo=%20.123 >> <?php >> $foo = $_GET['foo']; >> if (is_numeric($foo)){ >> //error out >> } >> $query = "something involving '$foo'"; >> ?> >> >> If you break that, you're in big trouble to a lot of scripts all >> over >> the planet, which rely on the leading space to trap their SQL >> problem. > > This example has nothing to do with what we are discussing here. There > is no conversion or detection involved here. It is a simple string > concatenation.
And yet, the way Matt W was talking at one point, it seemed he wanted to change that as well... Or perhaps I misunderstood. I still believe that the same rules should apply for type-juggling and is_numeric, for simplicity sake. >> I never actually use is_numeric, and would expect it to follow the >> same "rules" as PHP's internal type-juggling mechanism. >> >> I believe leading spaces should NOT be allowed for type-juggling, >> not >> is_numeric, because GET/POST/COOKIE data should be subject to the >> most >> stringent constraints reasonable to avoid security injections. > > Any example? The one above?... http://example.com/?foo=%20.123 Is $_GET['foo'] a valid number? I don't think it should be. I believe it is "wrong" to allow leading/trailing spaces on numeric data in any sort of auto-conversion or test for validity. >> While I don't think leading/trailing spaces are likely to constitute >> a >> Security Issue, there is a Principle at work that I think should be >> applied. > > Principle? which is? :) Several, actually. K.I.S.S. ==> type-juggling === is_numeric leading/trailing spaces are not numeric The security Principle is that of allowing only the minimal needed data characters to be valid, rather than attempting to do something that's be-all end-all. Still along the lines of simplicity, is the Principle of only allowing what you really WANT to be valid, instead of attempting to disallow what might be invalid. While adding leading/trailing spaces to what is considered 'valid' is not anywhere near the realm of disallowing the invalid, it's like that slippery slope of complexity that leads there, if you know what I mean... Does PHP *need* to allow leading/trailing spaces? No. Is there a userland simple solution if the applicatino developer wants to override the "Right Way"? Yes. I believe it is "wrong" to consider ' 123' as 'numeric' in type juggling, and equally "wrong" for is_numeric() to return TRUE for that. -- Like Music? http://l-i-e.com/artists.htm -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
