Jump to content
MakeWebGames

Abs

NarutoPRG.com

By NarutoPRG.com
in General Discussion

 Share

Recommended Posts

NarutoPRG.com Newbie

NarutoPRG.com

Posted
Posted

OK,

I was looking for a few mods and found of these codes. From securing this $_GET

 

$_GET['ID'] = isset($_GET['ID']) && ctype_digit($_GET['ID']) ? abs((int) $_GET['ID']) : false;

 

Why?

I don't get why people use this to secured the ID, or numbers etc.. Like. ( : false; ) I thought this was only good use using $_GET['action']. If someone can explain why you want to add this on the end. Please mention it.

 

isset & ctype_digit

I think some people are trying to show off(some how).

$_GET['id'] = (abs((int)$_GET['id'])); (for user table)

It's quite annoying. :/ Anyone Agree?

Aurora078 Newbie

Aurora078

Posted
Posted
OK,

I was looking for a few mods and found of these codes. From securing this $_GET

 

$_GET['ID'] = isset($_GET['ID']) && ctype_digit($_GET['ID']) ? abs((int) $_GET['ID']) : false;

 

Why?

I don't get why people use this to secured the ID, or numbers etc.. Like. ( : false; ) I thought this was only good use using $_GET['action']. If someone can explain why you want to add this on the end. Please mention it.

 

isset & ctype_digit

I think some people are trying to show off(some how).

$_GET['id'] = (abs((int)$_GET['id'])); (for user table)

It's quite annoying. :/ Anyone Agree?

Well, isset() checks if the $_GET[var] is set, but thats self explanatory. ctype_digit() checks if the value is numerical. ABS is short for Absolute, and checks if the number is a (+ or Positive) number, and (int) means intenger. As far as annoying goes, whether it be annoying or not, it is an effective method.
Djkanna Apprentice

Djkanna

Posted
Posted

It's not annoying it's (like Aurora078 said) effective.

However there is many ways you can check for a number;

$_GET['var']+=0;


if (isset ($_GET['var']) && filter_var ($_GET['var'], FILTER_VALIDATE_INT) ) 
   $_GET['var'] = abs (filter_var ($_GET['var'], FILTER_SANITIZE_NUMBER_INT) );
else 
   //FAIL

Are just Two I use, I don't usually go for the whole:

$_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : false;

as it's not my preference to do so.

However it's all down to your preference, generally when it comes down to this there isn't a wrong and right way to do it.

Equinox Newbie

Equinox

Posted
Posted

The method you've posted, Naruto, is a ternary operator method.

It's exactly the same as using the method followed:

 

if(isset($_GET['ID']) && ctype_digit($_GET['ID'])) {
//
} else {
///
}

 

^ ^ This is not my example of ternary!

You get the idea, it won't effect the code any more than doing it with other methods, like Djkanna has displayed.

Dominion Newbie

Dominion

Posted
Posted

if it works it works what gets to me is when people copy and paste it to the top of a file and assume its secure

 

 
$_GET['name'] = isset($_GET['name']) && ctype_digit($_GET['name']) ? abs((int) $_GET['name']) : false;

 

its secure now

Aurora078 Newbie

Aurora078

Posted
Posted
if it works it works what gets to me is when people copy and paste it to the top of a file and assume its secure

 

 
$_GET['name'] = isset($_GET['name']) && ctype_digit($_GET['name']) ? abs((int) $_GET['name']) : false;

 

its secure now

Your have a valid point. Although that thing would be completely useless consider $_GET['name'] is probably alphabetical, and ctype_digit and abs() and (int) are only for numbers..
Dominion Newbie

Dominion

Posted
Posted
what gets to me is when people copy and paste it to the top of a file and assume its secure

 

the point was it was wrong but i have seen people do it then wounder why it fails to work

here it is (kinda) vailed for text :)

 

$_GET['name'] = isset($_GET['name']) && is_string($_GET['name']) ? strtolower(trim($_GET['name'])) : false;
Aurora078 Newbie

Aurora078

Posted
Posted

 

the point was it was wrong but i have seen people do it then wounder why it fails to work

here it is (kinda) vailed for text :)

 

$_GET['name'] = isset($_GET['name']) && is_string($_GET['name']) ? strtolower(trim($_GET['name'])) : false;
what gets to me is when people copy and paste it to the top of a file and assume its secure

 

the point was it was wrong but i have seen people do it then wounder why it fails to work

here it is (kinda) vailed for text :)

 

$_GET['name'] = isset($_GET['name']) && is_string($_GET['name']) ? strtolower(trim($_GET['name'])) : false;

 

Could always use ctype_alpha($_GET['name']) as well, but good example of something that is useful, but is not gonna fix your whole page in one click.

a_bertrand Newbie

a_bertrand

Posted
Posted

Security is not fixed by "one click". Anyhow if you use correctly mysqli all those would not be needed or if you escape your sql strings correctly, you will not need to worry about SQL injection. That doesn't mean however that all is secure. For example, imagine you read your private messages with something like

read.php?id=20001

Now what will happen if somebody change the id with something else? Well there is big chances that you will be able to access someone else private message. That's also a security issue. So to fix that you will need to ensure in your code / query that the message you will display is indeed for the active user.

That's a simple example of what security could be, and what is not covered by simply "securing" the GET parameters.

Aurora078 Newbie

Aurora078

Posted
Posted
Security is not fixed by "one click". Anyhow if you use correctly mysqli all those would not be needed or if you escape your sql strings correctly, you will not need to worry about SQL injection. That doesn't mean however that all is secure. For example, imagine you read your private messages with something like

read.php?id=20001

Now what will happen if somebody change the id with something else? Well there is big chances that you will be able to access someone else private message. That's also a security issue. So to fix that you will need to ensure in your code / query that the message you will display is indeed for the active user.

That's a simple example of what security could be, and what is not covered by simply "securing" the GET parameters.

Very True Alain ( I think thats your name... ).

LordDan Newbie

LordDan

Posted
Posted

I've never used abs() for security, that's just a bit dumb isn't it? Correct me if i am wrong but abs() will not always give you a result you're after. A simple preg_replace with (int) will give you an INT without trailing 0's, abs() on the other hand can be really retarded with cleaning up INT's depending on what your after.

 

function filter_int( $val, $negatives = false ){
   $regex = ($negatives) ? "/[^0-9-\s]/" : "/[^0-9\s]/" ;
   return (int)preg_replace( $regex, "", $val );
}

 

echo filter_int( '00h-h3Ll0' ); // 30
echo abs( '00h-h3Ll0' ); // 0

 

echo filter_int( '3g33' ); // 333
echo abs( '3g33' ); // 3

 

echo filter_int( '-11abc', true ); // -11
echo abs( '-11abc' ); // 11

 

echo filter_int( 'a-s200abc', true ); // -200
echo abs( 'a-s200abc' ); // 0

 

So, what exactly is the advantage of using abs() over what i am doing? :huh:

Zeggy Newbie

Zeggy

Posted
Posted 
$_GET['ID'] = isset($_GET['ID']) && ctype_digit($_GET['ID']) ? abs((int) $_GET['ID']) : false;

This code is redundant. Simply using ctype_digit to check the number will make sure that the value is an absolute integer, since ctype_digit only allows number characters. In other words, what part of that code is doing is 'if $_GET['id'] is an absolute integer, set it to an absolute integer'. Something less redundant:

if (!ctype_digit($_GET['id'])) { $_GET['id'] = false; }

 

So use either ctype_digit OR abs(intval()), no need for both. (technicallyyyyy what I said above isn't true, see if you can spot the error. But practically, it's fine in php thanks to its type system)

 

LordDan: Your regex checks a character set. Negative numbers have a strict standard for where the negative sign is: in front.

So your regex will match -123 but will also allow 12-3---.

As for advantages of abs over your method, regex is much slower than a simple number function, and far too overqualified for its task. There are functions like abs to be used for a reason. Regex is for more advanced pattern matching.

LordDan Newbie

LordDan

Posted
Posted
So your regex will match -123 but will also allow 12-3---

Hmm, i overlooked that, i wanted a way to allow negatives because i usually just use (int). I'm still not seeing the advantage of abs() though, any examples of when it's better than just (int)?

Zeggy Newbie

Zeggy

Posted
Posted

Not so much of an advantage, but abs is a different function from intval. Converting to int will still allow negative numbers. But for example, ID numbers in the database probably don't go into the negatives, so using abs is just an extra check that would be very useful.

LordDan Newbie

LordDan

Posted
Posted
i wanted a way to disallow negatives because i usually just use (int)

Sorry my fault, I should learn to read what i type -_-

Anyway, i think i can see one advantage with the mention of Database ID's.. The majority of the time, abs(), for me above returned 0 so long as the string didn't start with a valid INT such as the "3g33" example.. This could be used to avoid an extra query, as there is no such thing as ID 0?

 

if( abs( $_GET['id'] ) == 0 ){
   exit( 'No such query ID');
} else {
   $query = "SELECT id FROM users WHERE id=".abs($_GET['id'])." AND `username`=".mysql_real_escape_string($_SESSION['user'])." LIMIT 1";
}

 

Am i on the right track here?

LordDan Newbie

LordDan

Posted
Posted
Don't nearly all databases use negative/zero id's?, or that was just being sarcastic meaning it wont work..?

ID using Auto Increment, for me, have always started at 1 in phpMyAdmin.. Which is what i was reffering to. I've never seen 0 or negative ID rows myself.

Aurora078 Newbie

Aurora078

Posted
Posted
Don't nearly all databases use negative/zero id's?, or that was just being sarcastic meaning it wont work..?

ID using Auto Increment, for me, have always started at 1 in phpMyAdmin.. Which is what i was reffering to. I've never seen 0 or negative ID rows myself.

Using auto increment yes, not using it? Negative/0 rows usually unless you use something that reads the last id and then add's 1, which is basically acting just like auto-increment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...