Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Piwik_Common::sanitizeInputValues (and by extension getRequestVar) treats values like "1%6" or "3ab4" as integers #962

Closed
mgc8 opened this Issue · 4 comments

2 participants

Mihnea-Costin Grigore Anthon Pang
Mihnea-Costin Grigore

The following type of comparison in sanitizeInputValues() is used to ascertain if a string value is actually a string:

if(is_int($value) || $value==(int)$value) $ok = true;

However, the following comparisons are true at least in PHP 5.2.10:

"1%6" == 1```

"3ab4" == 3```

Apparently the typecasting engine always returns the first "number" part of the string, regardless of the rest; if the first character is not a number, the return will be 0.

I suggest the following modification to solve the issue:

if(is_int($value) || (string)$value==(string)((int)$value)) $ok = true;

This will assure that the comparisons will not be made between a string and an integer directly, thus avoiding the bug.

Keywords: sanitizeInputValues, getRequestVar, sanitize, int, string

Anthon Pang
Collaborator

Since $_GET and $_POST values are strings, don't is_int() and is_float() always fail?

Could we simplify this? Is there a preference in terms of readability and/or performance?

if(is_numeric($value) && is_int((int)$value))  $ok = true;
if((string)$value == (string)(int)$value)  $ok = true;
Anthon Pang
Collaborator

scratch my example

What about this?

if(is_numeric($value) && ($value == (string)(int)$value))  $ok = true;
Anthon Pang
Collaborator

Ok, the is_numeric() appears to be redundant and a waste of CPU cycles...

Anthon Pang
Collaborator

In [1452], fix detection of malformed 'integer' and 'float' values

Mihnea-Costin Grigore mgc8 added this to the Piwik 0.4.4 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.