Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:25335 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56554 invoked by uid 1010); 12 Aug 2006 21:17:09 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 56539 invoked from network); 12 Aug 2006 21:17:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Aug 2006 21:17:09 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; domainkeys=good DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 66.249.92.169 ug-out-1314.google.com Linux 2.4/2.6 Received: from ([66.249.92.169:43732] helo=ug-out-1314.google.com) by pb1.pair.com (ecelerity 2.1.1.3 r(11751M)) with ESMTP id CB/B6-19138-3554ED44 for ; Sat, 12 Aug 2006 17:17:07 -0400 Received: by ug-out-1314.google.com with SMTP id k3so1212250ugf for ; Sat, 12 Aug 2006 14:17:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WNfSG2lAS+3qRFCGhTTa/ExLf7Gb7cYBI1rVKZThf6b+sYfHNCPAkyihngT9MFBrsCauWbSM0fillNC0mRMkmYonX6HXhHzQBlekzRs1ZKGN8zvbCDoGEjetqU9Xr/ngDoAtjOM0PfLffAPhqeVE+qs75InJh0p67QkjxgVI0fg= Received: by 10.66.222.9 with SMTP id u9mr5914505ugg; Sat, 12 Aug 2006 14:17:04 -0700 (PDT) Received: by 10.66.248.15 with HTTP; Sat, 12 Aug 2006 14:17:04 -0700 (PDT) Message-ID: Date: Sat, 12 Aug 2006 23:17:04 +0200 To: ceo@l-i-e.com Cc: internals@lists.php.net In-Reply-To: <1520.209.254.223.2.1155416705.squirrel@www.l-i-e.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <005101c6b930$83f30b30$0201a8c0@pc1> <00fa01c6bd37$d61d1940$0201a8c0@pc1> <5580.67.108.68.40.1155322579.squirrel@www.l-i-e.com> <002901c6bde3$f3805ea0$0201a8c0@pc1> <1133.209.254.223.2.1155409859.squirrel@www.l-i-e.com> <1520.209.254.223.2.1155416705.squirrel@www.l-i-e.com> Subject: Re: [PHP-DEV] is_numeric_string causes function inconsistency From: pierre.php@gmail.com (Pierre) Hello, > > This example has nothing to do with what we are discussing here. There > > is no conversion or detection involved here. It is a simple string > > concatenation. > > And yet, the way Matt W was talking at one point, it seemed he wanted > to change that as well... > > Or perhaps I misunderstood. > > I still believe that the same rules should apply for type-juggling and > is_numeric, for simplicity sake. That's not the same thing, there is no type juggling here. > >> I never actually use is_numeric, and would expect it to follow the > >> same "rules" as PHP's internal type-juggling mechanism. > >> > >> I believe leading spaces should NOT be allowed for type-juggling, > >> not > >> is_numeric, because GET/POST/COOKIE data should be subject to the > >> most > >> stringent constraints reasonable to avoid security injections. > > > > Any example? > > The one above?... > > http://example.com/?foo=%20.123 > > Is $_GET['foo'] a valid number? > > I don't think it should be. > > I believe it is "wrong" to allow leading/trailing spaces on numeric > data in any sort of auto-conversion or test for validity. I was asking about a security problem. There is none. Limitatingof the area of interest to the input filtering is not a good idea, it is very small part of what we are talking about. I do not think arguing endlessly about trailing/tailing spaces being valid or not will help. This is actually a very small problem (and easy to fix). --Pierre