Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:25332 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 78259 invoked by uid 1010); 12 Aug 2006 19:19:20 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 78244 invoked from network); 12 Aug 2006 19:19:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Aug 2006 19:19:19 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; domainkeys=good DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 66.249.92.168 ug-out-1314.google.com Linux 2.4/2.6 Received: from ([66.249.92.168:13208] helo=ug-out-1314.google.com) by pb1.pair.com (ecelerity 2.1.1.3 r(11751M)) with ESMTP id 3C/D0-19138-5B92ED44 for ; Sat, 12 Aug 2006 15:19:18 -0400 Received: by ug-out-1314.google.com with SMTP id k3so1197577ugf for ; Sat, 12 Aug 2006 12:19:14 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AjA6nYQj12M0++BBO2mZcp9CMKNCOV6czLkeYhwmIef8EFzJ2mNYJqgucmtx36Uprm+xmvvEpdocwGseV0mx9vM4mcqDezYZo3BoJGfpc3Igh2p7jcXAIHjWnroObOL7cSrbJ3FFwjvqo0+OP9iVF1sKGviviX+iQ4I0O6uJ+fI= Received: by 10.66.216.6 with SMTP id o6mr5791060ugg; Sat, 12 Aug 2006 12:19:14 -0700 (PDT) Received: by 10.66.248.15 with HTTP; Sat, 12 Aug 2006 12:19:14 -0700 (PDT) Message-ID: Date: Sat, 12 Aug 2006 21:19:14 +0200 To: ceo@l-i-e.com Cc: "Matt W" , internals@lists.php.net In-Reply-To: <1133.209.254.223.2.1155409859.squirrel@www.l-i-e.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <005101c6b930$83f30b30$0201a8c0@pc1> <00fa01c6bd37$d61d1940$0201a8c0@pc1> <5580.67.108.68.40.1155322579.squirrel@www.l-i-e.com> <002901c6bde3$f3805ea0$0201a8c0@pc1> <1133.209.254.223.2.1155409859.squirrel@www.l-i-e.com> Subject: Re: [PHP-DEV] is_numeric_string causes function inconsistency From: pierre.php@gmail.com (Pierre) Hello, On 8/12/06, Richard Lynch wrote: > But I think you are talking about making changes to the way this works: > > http://example.com/?foo=%20.123 > $foo = $_GET['foo']; > if (is_numeric($foo)){ > //error out > } > $query = "something involving '$foo'"; > ?> > > If you break that, you're in big trouble to a lot of scripts all over > the planet, which rely on the leading space to trap their SQL problem. This example has nothing to do with what we are discussing here. There is no conversion or detection involved here. It is a simple string concatenation. > I never actually use is_numeric, and would expect it to follow the > same "rules" as PHP's internal type-juggling mechanism. > > I believe leading spaces should NOT be allowed for type-juggling, not > is_numeric, because GET/POST/COOKIE data should be subject to the most > stringent constraints reasonable to avoid security injections. Any example? > While I don't think leading/trailing spaces are likely to constitute a > Security Issue, there is a Principle at work that I think should be > applied. Principle? which is? :) --Pierre