Skip to content

Piwik_Common::sanitizeInputValues (and by extension getRequestVar) treats values like "1%6" or "3ab4" as integers #962

mgc8 opened this Issue Sep 2, 2009 · 4 comments

2 participants

mgc8 commented Sep 2, 2009

The following type of comparison in sanitizeInputValues() is used to ascertain if a string value is actually a string:

if(is_int($value) || $value==(int)$value) $ok = true;

However, the following comparisons are true at least in PHP 5.2.10:

"1%6" == 1```

"3ab4" == 3```

Apparently the typecasting engine always returns the first "number" part of the string, regardless of the rest; if the first character is not a number, the return will be 0.

I suggest the following modification to solve the issue:

if(is_int($value) || (string)$value==(string)((int)$value)) $ok = true;

This will assure that the comparisons will not be made between a string and an integer directly, thus avoiding the bug.

Keywords: sanitizeInputValues, getRequestVar, sanitize, int, string


Since $_GET and $_POST values are strings, don't is_int() and is_float() always fail?

Could we simplify this? Is there a preference in terms of readability and/or performance?

if(is_numeric($value) && is_int((int)$value))  $ok = true;
if((string)$value == (string)(int)$value)  $ok = true;

scratch my example

What about this?

if(is_numeric($value) && ($value == (string)(int)$value))  $ok = true;

Ok, the is_numeric() appears to be redundant and a waste of CPU cycles...


In [1452], fix detection of malformed 'integer' and 'float' values

@mgc8 mgc8 added this to the Piwik 0.4.4 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.