Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:25334
Return-Path: <ceo@l-i-e.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 50726 invoked by uid 1010); 12 Aug 2006 21:05:06 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 50711 invoked from network); 12 Aug 2006 21:05:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Aug 2006 21:05:06 -0000
X-PHP-List-Original-Sender: ceo@l-i-e.com
X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2)
Received: from ([67.139.134.202:1607] helo=o2.hostbaby.com)
	by pb1.pair.com (ecelerity 2.1.1.3 r(11751M)) with ESMTP
	id C9/26-19138-0824ED44 for <internals@lists.php.net>; Sat, 12 Aug 2006 17:05:06 -0400
Received: (qmail 90074 invoked by uid 98); 12 Aug 2006 21:05:06 -0000
Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from <ceo@l-i-e.com>, uid 1013) with qmail-scanner-1.25 
 ( 
 Clear:RC:1(127.0.0.1):. 
 Processed in 0.087413 secs); 12 Aug 2006 21:05:06 -0000
X-Qmail-Scanner-Mail-From: ceo@l-i-e.com via o2.hostbaby.com
X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 0.087413 secs)
Received: from unknown (HELO l-i-e.com) (127.0.0.1)
  by localhost with SMTP; 12 Aug 2006 21:05:05 -0000
Received: from 209.254.223.2
        (SquirrelMail authenticated user ceo@l-i-e.com)
        by www.l-i-e.com with HTTP;
        Sat, 12 Aug 2006 16:05:05 -0500 (CDT)
Message-ID: <1520.209.254.223.2.1155416705.squirrel@www.l-i-e.com>
In-Reply-To: <fe05d1540608121219q2b5c5cd2qa355b6f5e926c16a@mail.gmail.com>
References: <005101c6b930$83f30b30$0201a8c0@pc1> 
    <00fa01c6bd37$d61d1940$0201a8c0@pc1> 
    <5580.67.108.68.40.1155322579.squirrel@www.l-i-e.com> 
    <002901c6bde3$f3805ea0$0201a8c0@pc1> 
    <1133.209.254.223.2.1155409859.squirrel@www.l-i-e.com>
    <fe05d1540608121219q2b5c5cd2qa355b6f5e926c16a@mail.gmail.com>
Date: Sat, 12 Aug 2006 16:05:05 -0500 (CDT)
To: internals@lists.php.net
Reply-To: ceo@l-i-e.com
User-Agent: Hostbaby Webmail
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [PHP-DEV] is_numeric_string causes function inconsistency
From: ceo@l-i-e.com ("Richard Lynch")

On Sat, August 12, 2006 2:19 pm, Pierre wrote:
> On 8/12/06, Richard Lynch <ceo@l-i-e.com> wrote:
>
>> But I think you are talking about making changes to the way this
>> works:
>>
>> http://example.com/?foo=%20.123
>> <?php
>> $foo = $_GET['foo'];
>> if (is_numeric($foo)){
>>   //error out
>> }
>> $query = "something involving '$foo'";
>> ?>
>>
>> If you break that, you're in big trouble to a lot of scripts all
>> over
>> the planet, which rely on the leading space to trap their SQL
>> problem.
>
> This example has nothing to do with what we are discussing here. There
> is no conversion or detection involved here. It is a simple string
> concatenation.

And yet, the way Matt W was talking at one point, it seemed he wanted
to change that as well...

Or perhaps I misunderstood.

I still believe that the same rules should apply for type-juggling and
is_numeric, for simplicity sake.

>> I never actually use is_numeric, and would expect it to follow the
>> same "rules" as PHP's internal type-juggling mechanism.
>>
>> I believe leading spaces should NOT be allowed for type-juggling,
>> not
>> is_numeric, because GET/POST/COOKIE data should be subject to the
>> most
>> stringent constraints reasonable to avoid security injections.
>
> Any example?

The one above?...

http://example.com/?foo=%20.123

Is $_GET['foo'] a valid number?

I don't think it should be.

I believe it is "wrong" to allow leading/trailing spaces on numeric
data in any sort of auto-conversion or test for validity.

>> While I don't think leading/trailing spaces are likely to constitute
>> a
>> Security Issue, there is a Principle at work that I think should be
>> applied.
>
> Principle? which is? :)

Several, actually.

K.I.S.S. ==>
    type-juggling === is_numeric
    leading/trailing spaces are not numeric

The security Principle is that of allowing only the minimal needed
data characters to be valid, rather than attempting to do something
that's be-all end-all.

Still along the lines of simplicity, is the Principle of only allowing
what you really WANT to be valid, instead of attempting to disallow
what might be invalid.

While adding leading/trailing spaces to what is considered 'valid' is
not anywhere near the realm of disallowing the invalid, it's like that
slippery slope of complexity that leads there, if you know what I
mean...

Does PHP *need* to allow leading/trailing spaces?  No.

Is there a userland simple solution if the applicatino developer wants
to override the "Right Way"?  Yes.

I believe it is "wrong" to consider ' 123' as 'numeric' in type
juggling, and equally "wrong" for is_numeric() to return TRUE for
that.

-- 
Like Music?
http://l-i-e.com/artists.htm