Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:25346 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 21243 invoked by uid 1010); 14 Aug 2006 16:13:09 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 21228 invoked from network); 14 Aug 2006 16:13:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Aug 2006 16:13:09 -0000 X-PHP-List-Original-Sender: andrei@gravitonic.com X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.5 (sometimes 2.4) (4) Received: from ([204.11.219.139:58226] helo=lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.3 r(11751M)) with ESMTP id 0F/10-19138-311A0E44 for ; Mon, 14 Aug 2006 12:13:08 -0400 Received: from [66.228.175.145] (borndress-lm.corp.yahoo.com [66.228.175.145]) (authenticated bits=0) by lerdorf.com (8.13.7/8.13.7/Debian-1) with ESMTP id k7EGCxDT007297; Mon, 14 Aug 2006 09:12:59 -0700 In-Reply-To: References: <005101c6b930$83f30b30$0201a8c0@pc1> <00fa01c6bd37$d61d1940$0201a8c0@pc1> <5580.67.108.68.40.1155322579.squirrel@www.l-i-e.com> <002901c6bde3$f3805ea0$0201a8c0@pc1> <1133.209.254.223.2.1155409859.squirrel@www.l-i-e.com> <1520.209.254.223.2.1155416705.squirrel@www.l-i-e.com> Mime-Version: 1.0 (Apple Message framework v623) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-ID: <5e42dfb48493eb40e0c58c75fda75de9@gravitonic.com> Content-Transfer-Encoding: 7bit Cc: ceo@l-i-e.com, "internals@lists.php.net Internals" Date: Mon, 14 Aug 2006 09:13:48 -0700 To: Pierre , Matt W X-Mailer: Apple Mail (2.623) Subject: Re: [PHP-DEV] is_numeric_string causes function inconsistency From: andrei@gravitonic.com (Andrei Zmievski) Guys, I can't keep following endless (and large) email threads about things like that. Could you please work together on a more formal proposal taking into consideration existing state, BC, any potential future issues etc? If you need some guidelines, I quite like how Pythong PEPs do it [1]. Once we have something like that in front of us, we can evaluate it much more effectively. Thanks. -Andrei [1] http://www.python.org/dev/peps/pep-0001/#what-belongs-in-a-successful- pep On Aug 12, 2006, at 2:17 PM, Pierre wrote: > Hello, > >> > This example has nothing to do with what we are discussing here. >> There >> > is no conversion or detection involved here. It is a simple string >> > concatenation. >> >> And yet, the way Matt W was talking at one point, it seemed he wanted >> to change that as well... >> >> Or perhaps I misunderstood. >> >> I still believe that the same rules should apply for type-juggling and >> is_numeric, for simplicity sake. > > That's not the same thing, there is no type juggling here. > >> >> I never actually use is_numeric, and would expect it to follow the >> >> same "rules" as PHP's internal type-juggling mechanism. >> >> >> >> I believe leading spaces should NOT be allowed for type-juggling, >> >> not >> >> is_numeric, because GET/POST/COOKIE data should be subject to the >> >> most >> >> stringent constraints reasonable to avoid security injections. >> > >> > Any example? >> >> The one above?... >> >> http://example.com/?foo=%20.123 >> >> Is $_GET['foo'] a valid number? >> >> I don't think it should be. >> >> I believe it is "wrong" to allow leading/trailing spaces on numeric >> data in any sort of auto-conversion or test for validity. > > I was asking about a security problem. There is none. Limitatingof the > area of interest to the input filtering is not a good idea, it is very > small part of what we are talking about. I do not think arguing > endlessly about trailing/tailing spaces being valid or not will help. > This is actually a very small problem (and easy to fix). > > --Pierre > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php