From a388312c61d3e2dd23ccf55441505c1d42219b14 Mon Sep 17 00:00:00 2001
From: wbond <will@wbond.net>
Date: Wed, 1 Dec 2010 03:40:04 +0000
Subject: [PATCH] BackwardsCompatibilityBreak - fRequest::get() now strips out
 low bytes characters if no `$cast_to`, or if a `string` or `array` `$cast_to`
 is specified. Using the new `binary` `$cast_to` will leave all bytes intact.

Completed ticket #486 - added the `binary` type to fRequest::get().

Completed ticket #533 - fRequest::get() will cast all strings of digits in the range of PHP integer type to such an integer when the `integer` or `int` `$cast_to` is specified. If the integer is beyond the range, a string of the digits will be returned. fRequest::get() can be forced to always return a true integer by passing `integer!`.
---
 classes/fActiveRecord.php |  6 ++++--
 classes/fRequest.php      | 34 +++++++++++++++++++++++++++-------
 2 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/classes/fActiveRecord.php b/classes/fActiveRecord.php
index c1a5f4c6..787ad061 100644
--- a/classes/fActiveRecord.php
+++ b/classes/fActiveRecord.php
@@ -15,7 +15,8 @@
  * @package    Flourish
  * @link       http://flourishlib.com/fActiveRecord
  * 
- * @version    1.0.0b73
+ * @version    1.0.0b74
+ * @changes    1.0.0b74  Updated ::populate() to use the `binary` type for fRequest::get() [wb, 2010-11-30]
  * @changes    1.0.0b73  Backwards Compatibility Break - changed column set methods to treat strings of all whitespace the same as empty string and convert them to `NULL` [wb, 2010-11-29]
  * @changes    1.0.0b72  Added the new `comment` element to the reflection signature for `inspect` methods [wb, 2010-11-28]
  * @changes    1.0.0b71  Updated class to use fORM::getRelatedClass() [wb, 2010-11-24]
@@ -2024,7 +2025,8 @@ public function populate()
 		foreach ($column_info as $column => $info) {
 			if (fRequest::check($column)) {
 				$method = 'set' . fGrammar::camelize($column, TRUE);
-				$this->$method(fRequest::get($column));
+				$cast_to = ($info['type'] == 'blob') ? 'binary' : NULL;
+				$this->$method(fRequest::get($column, $cast_to));
 			}
 		}
 		
diff --git a/classes/fRequest.php b/classes/fRequest.php
index a641cb43..89a2ef0d 100644
--- a/classes/fRequest.php
+++ b/classes/fRequest.php
@@ -16,7 +16,8 @@
  * @package    Flourish
  * @link       http://flourishlib.com/fRequest
  * 
- * @version    1.0.0b15
+ * @version    1.0.0b16
+ * @changes    1.0.0b16  Backwards Compatiblity Break - changed ::get() to remove binary characters when casting to a `string`, changed `int` and `integer` to cast to a real integer when possible, added new types of `binary` and `integer!` [wb, 2010-11-30]
  * @changes    1.0.0b15  Added documentation about `[sub-key]` syntax, added `[sub-key]` support to ::check() [wb, 2010-09-12]
  * @changes    1.0.0b14  Rewrote ::set() to not require recursion for array syntax [wb, 2010-09-12]
  * @changes    1.0.0b13  Fixed ::set() to work with `PUT` requests [wb, 2010-06-30]
@@ -244,7 +245,8 @@ static public function generateCSRFToken($url=NULL)
 	 * become `NULL`.
 	 * 
 	 * Valid `$cast_to` types include:
-	 *  - `'string'`,
+	 *  - `'string'`
+	 *  - `'binary'`
 	 *  - `'int'`
 	 *  - `'integer'`
 	 *  - `'bool'`
@@ -258,8 +260,21 @@ static public function generateCSRFToken($url=NULL)
 	 * whenever the `$key` was not specified in the request, or if the value
 	 * was a blank string.
 	 *  
-	 * All text values are interpreted as UTF-8 string and appropriately
-	 * cleaned.
+	 * All `string`, `array` or unspecified `$cast_to` will result in the value(s)
+	 * being interpreted as UTF-8 string and appropriately cleaned of invalid
+	 * byte sequences. Also, all low-byte, non-printable characters will be
+	 * stripped from the value. This includes all bytes less than the value of
+	 * 32 (Space) other than Tab (`\t`), Newline (`\n`) and Cariage Return
+	 * (`\r`).
+	 * 
+	 * To preserve low-byte, non-printable characters, or get the raw value
+	 * without cleaning invalid UTF-8 byte sequences, plase use the value of
+	 * `binary` for the `$cast_to` parameter.
+	 * 
+	 * Any integers that are beyond the range of 32bit storage will be returned
+	 * as a string. The returned value can be forced to always be a real
+	 * integer, which may cause truncation of the value, by passing `integer!`
+	 * as the `$cast_to`.
 	 * 
 	 * @param  string $key            The key to get the value of - array elements can be accessed via `[sub-key]` syntax
 	 * @param  string $cast_to        Cast the value to this data type - see method description for details
@@ -354,15 +369,20 @@ static public function get($key, $cast_to=NULL, $default_value=NULL)
 			}
 			
 		} elseif (($cast_to == 'int' || $cast_to == 'integer') && preg_match('#^-?\d+$#D', $value)) {
-			// If the cast is an integer and the value is digits, don't cast to prevent
-			// truncation due to 32 bit integer limits
+			// Only explicitly cast integers than can be represented by a real
+			// PHP integer to prevent truncation due to 32 bit integer limits
+			if (strval(intval($value)) == $value) {
+				$value = (int) $value;
+			}
 			
-		} elseif ($cast_to) {
+		} elseif ($cast_to != 'binary' && $cast_to !== NULL) {
+			$cast_to = str_replace('integer!', 'integer', $cast_to);
 			settype($value, $cast_to);
 		}
 		
 		// Clean values coming in to ensure we don't have invalid UTF-8
 		if (($cast_to === NULL || $cast_to == 'string' || $cast_to == 'array') && $value !== NULL) {
+			$value = preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]#', '', $value);
 			$value = fUTF8::clean($value);
 		}